Source: google.vrthcobj.com |
Virustotal: Detection: 7% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\sqlite.dll |
Virustotal: Detection: 13% |
Perma Link |
Source: TMB1fxNaqR.exe |
Virustotal: Detection: 44% |
Perma Link |
Source: TMB1fxNaqR.exe |
ReversingLabs: Detection: 59% |
Source: TMB1fxNaqR.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: unknown |
HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49708 version: TLS 1.2 |
Source: |
Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: sqlite.dll.2.dr |
Source: Traffic |
Snort IDS: 1948 DNS zone transfer UDP 192.168.2.3:58824 -> 34.97.69.225:53 |
Source: Joe Sandbox View |
IP Address: 172.67.146.70 172.67.146.70 |
Source: Joe Sandbox View |
JA3 fingerprint: ce5f3254611a8c095a3d821d44539877 |
Source: unknown |
DNS traffic detected: queries for: a.goatgame.co |
Source: unknown |
Network traffic detected: HTTP traffic on port 49708 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49708 |
Source: unknown |
HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49708 version: TLS 1.2 |
Source: TMB1fxNaqR.exe, 00000000.00000002.199960320.000000000075A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Code function: 0_2_004048FD |
0_2_004048FD |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\sqlite.dll 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD |
Source: TMB1fxNaqR.exe, 00000000.00000002.200008451.00000000020F0000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs TMB1fxNaqR.exe |
Source: TMB1fxNaqR.exe, 00000000.00000000.197015002.000000000040E000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe |
Source: TMB1fxNaqR.exe, 00000000.00000002.199945139.0000000000730000.00000002.00000001.sdmp |
Binary or memory string: originalfilename vs TMB1fxNaqR.exe |
Source: TMB1fxNaqR.exe, 00000000.00000002.199945139.0000000000730000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs TMB1fxNaqR.exe |
Source: TMB1fxNaqR.exe, 00000002.00000002.215054840.00000000021B0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs TMB1fxNaqR.exe |
Source: TMB1fxNaqR.exe, 00000002.00000002.214734311.000000000040E000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe |
Source: TMB1fxNaqR.exe, 00000002.00000002.215069964.0000000002200000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs TMB1fxNaqR.exe |
Source: TMB1fxNaqR.exe, 00000002.00000002.215033311.0000000002110000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemswsock.dll.muij% vs TMB1fxNaqR.exe |
Source: TMB1fxNaqR.exe, 00000002.00000002.215017751.0000000002100000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs TMB1fxNaqR.exe |
Source: TMB1fxNaqR.exe, 00000002.00000002.215012630.00000000020F0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamenlsbres.dllj% vs TMB1fxNaqR.exe |
Source: TMB1fxNaqR.exe |
Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe |
Source: TMB1fxNaqR.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal76.winEXE@5/2@3/1 |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Code function: 0_2_00401050 lstrcatW,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString, |
0_2_00401050 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_01 |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
File created: C:\Users\user\AppData\Local\Temp\sqlite.dat |
Jump to behavior |
Source: TMB1fxNaqR.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
File read: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: TMB1fxNaqR.exe |
Virustotal: Detection: 44% |
Source: TMB1fxNaqR.exe |
ReversingLabs: Detection: 59% |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
File read: C:\Users\user\Desktop\TMB1fxNaqR.exe:Zone.Identifier |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' |
|
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a |
|
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a |
Jump to behavior |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Jump to behavior |
Source: |
Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: sqlite.dll.2.dr |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW, |
0_2_004018A0 |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Code function: 0_2_004065A0 push eax; ret |
0_2_004065CE |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
File created: C:\Users\user\AppData\Local\Temp\sqlite.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe TID: 3148 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe TID: 5076 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW, |
0_2_004018A0 |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Code function: 0_2_004053C0 SetUnhandledExceptionFilter, |
0_2_004053C0 |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Code function: 0_2_004053D2 SetUnhandledExceptionFilter, |
0_2_004053D2 |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a |
Jump to behavior |
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe |
Code function: 0_2_0040268E EntryPoint,GetVersion,GetCommandLineA, |
0_2_0040268E |