Source: ZAXkflgLEq.exe |
ReversingLabs: Detection: 71% |
Source: ZAXkflgLEq.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49732 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49733 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49734 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49740 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49741 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49742 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49743 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49744 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49745 version: TLS 1.2 |
Source: ZAXkflgLEq.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: wkernel32.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: wkernelbase.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: ntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: ntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: wkernelbase.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: wkernel32.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: Joe Sandbox View |
JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
DNS traffic detected: queries for: www.carssell.online |
Source: dialer.exe, 00000001.00000002.2180075196.000000000327C000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: https://www.carssell.online:443/b45c71e9ac60e42309ff71/ox15jpua.xlk0e |
Source: unknown |
Network traffic detected: HTTP traffic on port 49733 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49733 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49744 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49732 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49734 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49743 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49742 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49732 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49742 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49743 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49744 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49734 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49732 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49733 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49734 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49740 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49741 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49742 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49743 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49744 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49745 version: TLS 1.2 |
Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: DirectInput8Create |
memstr_ce44904d-b |
Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: GetRawInputData |
memstr_dd65927f-f |
Source: Yara match |
File source: 1.3.dialer.exe.58d0000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.dialer.exe.56b0000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.ZAXkflgLEq.exe.4720000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.dialer.exe.56b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.dialer.exe.58d0000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.ZAXkflgLEq.exe.4940000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.3.dialer.exe.56b0000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ZAXkflgLEq.exe PID: 7392, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: dialer.exe PID: 7436, type: MEMORYSTR |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_2_00C90AA0 |
0_2_00C90AA0 |
Source: ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002D12000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamekernel32j% vs ZAXkflgLEq.exe |
Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameKernelbase.dllj% vs ZAXkflgLEq.exe |
Source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004898000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe |
Source: ZAXkflgLEq.exe, 00000000.00000002.1687647111.0000000000CAB000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameTCPZ.exe, vs ZAXkflgLEq.exe |
Source: ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000049ED000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe |
Source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs ZAXkflgLEq.exe |
Source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047F0000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamekernel32j% vs ZAXkflgLEq.exe |
Source: ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs ZAXkflgLEq.exe |
Source: ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004B21000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameKernelbase.dllj% vs ZAXkflgLEq.exe |
Source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004843000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe |
Source: ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004A96000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe |
Source: ZAXkflgLEq.exe |
Binary or memory string: OriginalFilenameTCPZ.exe, vs ZAXkflgLEq.exe |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: tapi32.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: ZAXkflgLEq.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@3/0@1/1 |
Source: C:\Windows\SysWOW64\dialer.exe |
Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6} |
Source: C:\Windows\SysWOW64\dialer.exe |
WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\SysWOW64\dialer.exe |
WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: ZAXkflgLEq.exe |
ReversingLabs: Detection: 71% |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Evasive API call chain: __getmainargs,DecisionNodes,exit |
Source: unknown |
Process created: C:\Users\user\Desktop\ZAXkflgLEq.exe "C:\Users\user\Desktop\ZAXkflgLEq.exe" |
|
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" |
|
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Jump to behavior |
Source: ZAXkflgLEq.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: ZAXkflgLEq.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: wkernel32.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: wkernelbase.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: ntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: ntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: wkernelbase.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: wkernel32.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Source: ZAXkflgLEq.exe |
Static PE information: section name: .textbss |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_3_00C95AF4 pushad ; retf |
0_3_00C95B03 |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_3_00C96285 push F693B671h; retf |
0_3_00C9628A |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_3_00C97C52 push dword ptr [edx+ebp+3Bh]; retf |
0_3_00C97C5F |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_3_00C95DCE push edi; iretd |
0_3_00C95DD5 |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_3_00C96F48 push es; ret |
0_3_00C96F49 |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_3_00C92F4E push eax; retf |
0_3_00C92F4F |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_3_00C9416F push ecx; iretd |
0_3_00C9417B |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_3_00C9657C push esi; ret |
0_3_00C96580 |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_3_00C9412F pushad ; ret |
0_3_00C94137 |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_2_00C49429 push cs; retf |
0_2_00C49565 |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_2_00C48964 push ebx; retf |
0_2_00C48965 |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_2_00C4750E push ds; iretd |
0_2_00C47517 |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_2_00C51269 push edx; retf |
0_2_00C51422 |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_2_00C4FF22 push edi; iretd |
0_2_00C4FF2D |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 1_3_03284305 push F693B671h; retf |
1_3_0328430A |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 1_3_03283B74 pushad ; retf |
1_3_03283B83 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 1_3_032821AF pushad ; ret |
1_3_032821B7 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 1_3_032821EF push ecx; iretd |
1_3_032821FB |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 1_3_032845FC push esi; ret |
1_3_03284600 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 1_3_03284FC8 push es; ret |
1_3_03284FC9 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 1_3_03280FCE push eax; retf |
1_3_03280FCF |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 1_3_03283E4E push edi; iretd |
1_3_03283E55 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 1_3_03285CD2 push dword ptr [edx+ebp+3Bh]; retf |
1_3_03285CDF |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\dialer.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OLLYDBG.EXE |
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: X64DBG.EXE |
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: IMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEP |
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: WINDUMP.EXE |
Source: C:\Windows\SysWOW64\dialer.exe |
WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\SysWOW64\dialer.exe |
WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor |
Source: dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: DisableGuestVmNetworkConnectivity |
Source: dialer.exe, 00000001.00000002.2180219972.00000000034E7000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: EnableGuestVmNetworkConnectivity |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_3_00C92277 mov eax, dword ptr fs:[00000030h] |
0_3_00C92277 |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_2_00C92277 mov eax, dword ptr fs:[00000030h] |
0_2_00C92277 |
Source: C:\Windows\SysWOW64\dialer.exe |
Code function: 1_3_0328027F mov eax, dword ptr fs:[00000030h] |
1_3_0328027F |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Code function: 0_2_00C90AA0 HeapCreate,HeapAlloc,HeapAlloc,GetModuleHandleA,HeapAlloc,CreateEventA,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,HeapFree,WaitForSingleObject,FindCloseChangeNotification,VirtualFree,GetProcessHeap,HeapFree,HeapDestroy, |
0_2_00C90AA0 |
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe |
Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" |
Jump to behavior |
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OllyDbg.exe |
Source: Yara match |
File source: 00000001.00000003.1687455325.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1684570895.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1687219829.0000000003DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.2180403207.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.1687455325.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1684570895.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1687219829.0000000003DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.2180403207.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |