Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
Analysis ID: 1436368
MD5: 813b31f7ee7bbdd8e42890394ea6f16f
SHA1: 31f3b24ab55399f61ca2a39055714883ba01807c
SHA256: 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f
Tags: exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Windows\mbrmqqboi.exe Avira: detection malicious, Label: HEUR/AGEN.1339215
Source: C:\tcls\Cyber.exe Avira: detection malicious, Label: LINUX/Shelma.denpe
Multi AV Scanner detection for dropped file
Source: C:\Windows\mbrmqqboi.exe ReversingLabs: Detection: 51%
Source: C:\Windows\mbrmqqboi.exe Virustotal: Detection: 53% Perma Link
Source: C:\tcls\Cyber.exe ReversingLabs: Detection: 79%
Source: C:\tcls\Cyber.exe Virustotal: Detection: 58% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe ReversingLabs: Detection: 70%
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Virustotal: Detection: 63% Perma Link
Machine Learning detection for dropped file
Source: C:\Windows\mbrmqqboi.exe Joe Sandbox ML: detected
Source: C:\tcls\Cyber.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\tcls\Cyber.exe Code function: 1_2_032A6322 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash, 1_2_032A6322
Source: C:\tcls\Cyber.exe Code function: 1_2_032A63B0 CryptAcquireContextA,CryptAcquireContextA, 1_2_032A63B0
Source: C:\tcls\Cyber.exe Code function: 1_2_032A610D CryptEncrypt, 1_2_032A610D
Source: C:\tcls\Cyber.exe Code function: 1_2_032A61D0 CryptDuplicateKey, 1_2_032A61D0
Source: C:\tcls\Cyber.exe Code function: 1_2_032A6419 CryptDestroyKey,CryptDestroyKey, 1_2_032A6419
Source: C:\tcls\Cyber.exe Code function: 1_2_032A64AB CryptDestroyKey,CryptDestroyKey, 1_2_032A64AB
Source: C:\tcls\Cyber.exe Code function: 1_2_032A5F15 CryptDecrypt,CryptEncrypt,CryptEncrypt, 1_2_032A5F15

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\tcls\Cyber.exe Unpacked PE file: 1.2.Cyber.exe.3290000.2.unpack
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
Source: Binary string: name="naily.pdbm.exe" source: Cyber.exe
Source: Binary string: naily.pdbm.exe source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000003.1619175656.0000000000802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000002.1642748563.0000000000802000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cC:\tcls\Cyber.exe\??\C:\tcls\Cyber.exeen-GBenen-USnaily.pdbm.exe source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000002.1636854745.0000000000790000.00000004.00000020.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B329F7 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00B329F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B3CD67 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00B3CD67
Source: C:\tcls\Cyber.exe Code function: 1_2_103E4517 FindFirstFileW,GetLastError,__invoke_watson, 1_2_103E4517
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View IP Address: 162.159.36.2 162.159.36.2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=okFYfBKbmACV4or&MD=d2putLvK HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=okFYfBKbmACV4or&MD=d2putLvK HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: Client.dll String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://pcinfoupload.110route.com/forum.php?from=discuz
Source: Cyber.exe String found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
Source: Cyber.exe String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: Cyber.exe String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://sbk.sgamer.com/cyberdown.php?cc=
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://tj.110route.com/index.html
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://uploadimg.110route.com/Upload.php
Source: Client.dll String found in binary or memory: http://www.openssl.org/support/faq.html
Source: Client.dll String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.yileyoo.com/help
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://beian.wwwscn.com/report.php?bd=
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2

System Summary
barindex
Detected VMProtect packer
Source: Cyber.exe.0.dr Static PE information: .vmp0 and .vmp1 section names
Creates files inside the system directory
Source: C:\tcls\Cyber.exe File created: C:\Windows\mbrmqqboi.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B359CA 0_2_00B359CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B4C8C0 0_2_00B4C8C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B37A93 0_2_00B37A93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B512E4 0_2_00B512E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B41214 0_2_00B41214
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B42392 0_2_00B42392
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B41B28 0_2_00B41B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B45352 0_2_00B45352
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B4CD6E 0_2_00B4CD6E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B38677 0_2_00B38677
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B41710 0_2_00B41710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B31773 0_2_00B31773
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B41F5D 0_2_00B41F5D
Source: C:\tcls\Cyber.exe Code function: 1_2_032C4320 1_2_032C4320
Source: C:\tcls\Cyber.exe Code function: 1_2_032D11A0 1_2_032D11A0
Source: C:\tcls\Cyber.exe Code function: 1_2_032B6090 1_2_032B6090
Source: C:\tcls\Cyber.exe Code function: 1_2_032A4637 1_2_032A4637
Source: C:\tcls\Cyber.exe Code function: 1_2_032CF52E 1_2_032CF52E
Source: C:\tcls\Cyber.exe Code function: 1_2_032C0525 1_2_032C0525
Source: C:\tcls\Cyber.exe Code function: 1_2_032C3475 1_2_032C3475
Source: C:\tcls\Cyber.exe Code function: 1_2_0329EF47 1_2_0329EF47
Source: C:\tcls\Cyber.exe Code function: 1_2_03294F81 1_2_03294F81
Source: C:\tcls\Cyber.exe Code function: 1_2_032D2EB7 1_2_032D2EB7
Source: C:\tcls\Cyber.exe Code function: 1_2_032C4D00 1_2_032C4D00
Source: C:\tcls\Cyber.exe Code function: 1_2_032D8D71 1_2_032D8D71
Source: C:\tcls\Cyber.exe Code function: 1_2_032A4C8B 1_2_032A4C8B
Source: C:\tcls\Cyber.exe Code function: 1_2_032DBCE0 1_2_032DBCE0
Source: C:\tcls\Cyber.exe Code function: 1_2_102811D0 1_2_102811D0
Source: C:\tcls\Cyber.exe Code function: 1_2_10281688 1_2_10281688
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_0040C9C0 10_2_0040C9C0
Found potential string decryption / allocating functions
Source: C:\tcls\Cyber.exe Code function: String function: 032C4A3A appears 89 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: String function: 00B3F4B0 appears 44 times
Source: C:\Windows\mbrmqqboi.exe Code function: String function: 00405950 appears 33 times
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.evad.winEXE@23/3@0/6
Source: C:\tcls\Cyber.exe Code function: 1_2_10481960 FSDK_GetCameraList,CoCreateInstance, 1_2_10481960
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_03
Source: C:\tcls\Cyber.exe Mutant created: \Sessions\1\BaseNamedObjects\ClientWWWS
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Command line argument: sfxname 0_2_00B3E8DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Command line argument: sfxstime 0_2_00B3E8DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Command line argument: STARTDLG 0_2_00B3E8DE
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\tcls\Cyber.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name, %d+18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence';
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe ReversingLabs: Detection: 70%
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Virustotal: Detection: 63%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Process created: C:\tcls\Cyber.exe "C:\tcls\Cyber.exe"
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrator:(OI)(CI)F
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrators:(OI)(CI)F
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrator:(OI)(CI)F
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrators:(OI)(CI)F
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\tcls\Cyber.exe Process created: C:\Windows\mbrmqqboi.exe C:\Windows\mbrmqqboi.exe 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC l
Source: C:\Windows\mbrmqqboi.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\sc.exe sc.exe config Winmgmt start= AUTO
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\mbrmqqboi.exe Process created: C:\Windows\mbrmqqboi.exe "C:\Windows\mbrmqqboi.exe" 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Process created: C:\tcls\Cyber.exe "C:\tcls\Cyber.exe" Jump to behavior
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrator:(OI)(CI)F Jump to behavior
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrators:(OI)(CI)F Jump to behavior
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrator:(OI)(CI)F Jump to behavior
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrators:(OI)(CI)F Jump to behavior
Source: C:\tcls\Cyber.exe Process created: C:\Windows\mbrmqqboi.exe C:\Windows\mbrmqqboi.exe 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC l Jump to behavior
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\sc.exe sc.exe config Winmgmt start= AUTO Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Process created: C:\Windows\mbrmqqboi.exe "C:\Windows\mbrmqqboi.exe" 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Section loaded: mpr.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: mpr.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: version.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: quartz.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: wininet.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: wininet.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: winmm.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: wldp.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: client.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: userenv.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: netutils.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\tcls\Cyber.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static file information: File size 15256203 > 1048576
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe
Source: Binary string: name="naily.pdbm.exe" source: Cyber.exe
Source: Binary string: naily.pdbm.exe source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000003.1619175656.0000000000802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000002.1642748563.0000000000802000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cC:\tcls\Cyber.exe\??\C:\tcls\Cyber.exeen-GBenen-USnaily.pdbm.exe source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000002.1636854745.0000000000790000.00000004.00000020.00040000.00000000.sdmp
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\tcls\Cyber.exe Unpacked PE file: 1.2.Cyber.exe.3290000.2.unpack
Contains functionality to dynamically determine API calls
Source: C:\tcls\Cyber.exe Code function: 1_2_032DB7E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_032DB7E4
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
File is packed with WinRar
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe File created: C:\tcls\__tmp_rar_sfx_access_check_6149296 Jump to behavior
PE file contains sections with non-standard names
Source: Cyber.exe.0.dr Static PE information: section name: .vmp0
Source: Cyber.exe.0.dr Static PE information: section name: .vmp1
Source: mbrmqqboi.exe.1.dr Static PE information: section name: .WMV0
Source: mbrmqqboi.exe.1.dr Static PE information: section name: .WMV1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B400F6 push ecx; ret 0_2_00B40109
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B359BA push dword ptr [ebp+03046A00h]; ret 0_2_00B359C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B3F484 push eax; ret 0_2_00B3F4A2
Source: C:\tcls\Cyber.exe Code function: 1_2_032D5370 push eax; ret 1_2_032D539E
Source: C:\tcls\Cyber.exe Code function: 1_2_103EB47D push ecx; ret 1_2_103EB490
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_004055D4 push 00405639h; ret 10_2_00405631
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_0040586E push 0040589Ch; ret 10_2_00405894
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00405870 push 0040589Ch; ret 10_2_00405894
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409834 push 004098A3h; ret 10_2_0040989B
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_0040C968 push 0040C9B6h; ret 10_2_0040C9AE
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00405119 push eax; ret 10_2_00405155
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_0040D1A4 push 0040D1D0h; ret 10_2_0040D1C8
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00405A00 push 00405A2Ch; ret 10_2_00405A24
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00405A38 push 00405CF4h; ret 10_2_00405CEC
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409BC8 push 00409BFCh; ret 10_2_00409BF4
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409BD0 push 00409BFCh; ret 10_2_00409BF4
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409B90 push 00409BBCh; ret 10_2_00409BB4
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409C40 push 00409C74h; ret 10_2_00409C6C
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409C48 push 00409C74h; ret 10_2_00409C6C
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409C08 push 00409C34h; ret 10_2_00409C2C
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_0040D42E push 0040D456h; ret 10_2_0040D44E
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_0040D430 push 0040D456h; ret 10_2_0040D44E
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00405CC8 push 00405CF4h; ret 10_2_00405CEC
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409CF0 push 00409D74h; ret 10_2_00409D6C
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409C80 push 00409CACh; ret 10_2_00409CA4
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409CB8 push 00409CE4h; ret 10_2_00409CDC
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409D48 push 00409D74h; ret 10_2_00409D6C
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409DAB push 00409DF9h; ret 10_2_00409DF1
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00409DAC push 00409DF9h; ret 10_2_00409DF1
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_0040C5B6 push 0040C66Bh; ret 10_2_0040C663
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_0040C5B8 push 0040C66Bh; ret 10_2_0040C663
Source: mbrmqqboi.exe.1.dr Static PE information: section name: .WMV1 entropy: 7.963072884561921

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\mbrmqqboi.exe Executable created and started: C:\Windows\mbrmqqboi.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe File created: C:\tcls\Client.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe File created: C:\tcls\Cyber.exe Jump to dropped file
Source: C:\tcls\Cyber.exe File created: C:\Windows\mbrmqqboi.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\tcls\Cyber.exe File created: C:\Windows\mbrmqqboi.exe Jump to dropped file
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\sc.exe sc.exe config Winmgmt start= AUTO

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 1070005 value: E9 2B BA E5 75 Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 76ECBA30 value: E9 DA 45 1A 8A Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 1090008 value: E9 8B 8E E8 75 Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 76F18E90 value: E9 80 71 17 8A Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 10A0005 value: E9 8B 4D B5 74 Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 75BF4D90 value: E9 7A B2 4A 8B Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 10C0005 value: E9 EB EB B4 74 Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 75C0EBF0 value: E9 1A 14 4B 8B Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 10D0005 value: E9 8B 8A F0 73 Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 74FD8A90 value: E9 7A 75 0F 8C Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 10F0005 value: E9 2B 02 F1 73 Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 75000230 value: E9 DA FD 0E 8C Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 2CA0005 value: E9 8B 2F 26 74 Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 76F02F90 value: E9 7A D0 D9 8B Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 2CB0007 value: E9 EB DF 28 74 Jump to behavior
Source: C:\tcls\Cyber.exe Memory written: PID: 6992 base: 76F3DFF0 value: E9 1E 20 D7 8B Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\tcls\Cyber.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrator:(OI)(CI)F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\tcls\Cyber.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\tcls\Cyber.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\tcls\Cyber.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Cyber.exe, 00000001.00000002.2884996615.0000000000144000.00000020.00000001.01000000.00000007.sdmp Binary or memory string: >SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\tcls\Cyber.exe RDTSC instruction interceptor: First address: 4CAB14 second address: 4CAB1A instructions: 0x00000000 rdtsc 0x00000002 popfd 0x00000003 pop esi 0x00000004 cbw 0x00000006 rdtsc
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\tcls\Cyber.exe Special instruction interceptor: First address: ACEE0C instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00413D89 rdtsc 10_2_00413D89
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\mbrmqqboi.exe Window / User API: threadDelayed 498 Jump to behavior
Found large amount of non-executed APIs
Source: C:\tcls\Cyber.exe API coverage: 0.5 %
Source: C:\Windows\mbrmqqboi.exe API coverage: 0.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\mbrmqqboi.exe TID: 864 Thread sleep time: -7470000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B329F7 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00B329F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B3CD67 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00B3CD67
Source: C:\tcls\Cyber.exe Code function: 1_2_103E4517 FindFirstFileW,GetLastError,__invoke_watson, 1_2_103E4517
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B3F017 VirtualQuery,GetSystemInfo, 0_2_00B3F017
Source: Client.dll Binary or memory string: VMware
Source: SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe, 00000000.00000002.1642748563.0000000000802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Cyber.exe, 00000001.00000002.2886870763.000000000110E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: Client.dll Binary or memory string: ANYTHING!VMwareHamachiPseudoJuniper Network Connect Virtual AdapterCisco AnyConnect VPNCisco Systems VPNMicrosoft%02x:%02x:%02x:%02x:%02x:%02x
Source: Cyber.exe, 00000001.00000003.1647597085.0000000001136000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe API call chain: ExitProcess graph end node
Source: C:\tcls\Cyber.exe System information queried: ModuleInformation Jump to behavior
Source: C:\tcls\Cyber.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\tcls\Cyber.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Thread information set: HideFromDebugger Jump to behavior
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\tcls\Cyber.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\tcls\Cyber.exe Process queried: DebugPort Jump to behavior
Source: C:\tcls\Cyber.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Process queried: DebugObjectHandle Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\mbrmqqboi.exe Code function: 10_2_00413D89 rdtsc 10_2_00413D89
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B4855B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B4855B
Contains functionality to dynamically determine API calls
Source: C:\tcls\Cyber.exe Code function: 1_2_032DB7E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_032DB7E4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B47439 mov eax, dword ptr fs:[00000030h] 0_2_00B47439
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B4B4B6 GetProcessHeap, 0_2_00B4B4B6
Enables debug privileges
Source: C:\tcls\Cyber.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B4004A SetUnhandledExceptionFilter, 0_2_00B4004A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B40358 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00B40358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B4855B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B4855B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B3FEB8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B3FEB8
Source: C:\tcls\Cyber.exe Code function: 1_2_103E2766 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_103E2766
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Process created: C:\tcls\Cyber.exe "C:\tcls\Cyber.exe" Jump to behavior
Source: C:\Windows\mbrmqqboi.exe Process created: C:\Windows\mbrmqqboi.exe "C:\Windows\mbrmqqboi.exe" 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B3FD07 cpuid 0_2_00B3FD07
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00B3BBF0
Source: C:\Windows\mbrmqqboi.exe Code function: RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA, 10_2_004047D4
Source: C:\Windows\mbrmqqboi.exe Code function: GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA, 10_2_004048A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B3E8DE OleInitialize,GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,LoadBitmapW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,OleUninitialize, 0_2_00B3E8DE
Source: C:\tcls\Cyber.exe Code function: 1_2_032D7BED GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 1_2_032D7BED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe Code function: 0_2_00B32B7C GetVersionExW, 0_2_00B32B7C
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\tcls\Cyber.exe Code function: 1_2_032CD203 sqlite3_transfer_bindings, 1_2_032CD203
Source: C:\tcls\Cyber.exe Code function: 1_2_032CD185 sqlite3_bind_parameter_index, 1_2_032CD185
Source: C:\tcls\Cyber.exe Code function: 1_2_032CD078 sqlite3_bind_text16, 1_2_032CD078
Source: C:\tcls\Cyber.exe Code function: 1_2_032CD040 sqlite3_bind_null, 1_2_032CD040
Source: C:\tcls\Cyber.exe Code function: 1_2_032CD055 sqlite3_bind_text, 1_2_032CD055
Source: C:\tcls\Cyber.exe Code function: 1_2_032CD0A8 sqlite3_bind_parameter_count, 1_2_032CD0A8
Source: C:\tcls\Cyber.exe Code function: 1_2_032CD0D3 sqlite3_bind_parameter_name, 1_2_032CD0D3
Source: C:\tcls\Cyber.exe Code function: 1_2_032CCF89 sqlite3_bind_double, 1_2_032CCF89
Source: C:\tcls\Cyber.exe Code function: 1_2_032CCFF2 sqlite3_bind_int64, 1_2_032CCFF2
Source: C:\tcls\Cyber.exe Code function: 1_2_032CCFD7 sqlite3_bind_int, 1_2_032CCFD7
Source: C:\tcls\Cyber.exe Code function: 1_2_032CCDFB sqlite3_bind_blob, 1_2_032CCDFB
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436368 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for submitted file 2->63 65 Detected VMProtect packer 2->65 9 SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe 5 2->9         started        process3 file4 43 C:\tcls\Cyber.exe, PE32 9->43 dropped 45 C:\tcls\Client.dll, PE32 9->45 dropped 12 Cyber.exe 1 9->12         started        process5 dnsIp6 49 20.114.59.183, 443, 49730, 49736 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->49 51 199.232.210.172, 49723, 49724, 80 FASTLYUS United States 12->51 53 4 other IPs or domains 12->53 47 C:\Windows\mbrmqqboi.exe, PE32 12->47 dropped 69 Antivirus detection for dropped file 12->69 71 Multi AV Scanner detection for dropped file 12->71 73 Detected unpacking (creates a PE file in dynamic memory) 12->73 75 6 other signatures 12->75 17 mbrmqqboi.exe 2 12->17         started        20 icacls.exe 1 12->20         started        22 icacls.exe 1 12->22         started        24 3 other processes 12->24 file7 signatures8 process9 signatures10 55 Antivirus detection for dropped file 17->55 57 Multi AV Scanner detection for dropped file 17->57 59 Machine Learning detection for dropped file 17->59 61 2 other signatures 17->61 26 mbrmqqboi.exe 1 17->26         started        29 conhost.exe 17->29         started        31 conhost.exe 20->31         started        33 conhost.exe 22->33         started        35 conhost.exe 24->35         started        37 conhost.exe 24->37         started        39 conhost.exe 24->39         started        process11 signatures12 67 Hides threads from debuggers 26->67 41 conhost.exe 26->41         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
20.114.59.183
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
162.159.36.2
 unknown United States
13335 CLOUDFLARENETUS false
199.232.210.172
 unknown United States
54113 FASTLYUS false

Private

IP
192.168.2.1
192.168.2.4