Source: osk[1].exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: |
Binary string: cmd.pdbUGP source: osk[1].exe |
Source: |
Binary string: cmd.pdb source: osk[1].exe |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6022978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, |
0_2_00007FF6F6022978 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6037B4C FindFirstFileW,FindNextFileW,FindClose, |
0_2_00007FF6F6037B4C |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6011560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, |
0_2_00007FF6F6011560 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F60135B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, |
0_2_00007FF6F60135B8 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F602823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, |
0_2_00007FF6F602823C |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F60288C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, |
0_2_00007FF6F60288C0 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F602898C NtQueryInformationToken, |
0_2_00007FF6F602898C |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F60289E4 NtQueryInformationToken,NtQueryInformationToken, |
0_2_00007FF6F60289E4 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6027FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, |
0_2_00007FF6F6027FF8 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F603BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, |
0_2_00007FF6F603BCF0 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6028114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, |
0_2_00007FF6F6028114 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6041538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, |
0_2_00007FF6F6041538 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6013D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, |
0_2_00007FF6F6013D94 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6015240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, |
0_2_00007FF6F6015240 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6024224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList, |
0_2_00007FF6F6024224 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F60237D8 |
0_2_00007FF6F60237D8 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6013410 |
0_2_00007FF6F6013410 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6025554 |
0_2_00007FF6F6025554 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F601AA54 |
0_2_00007FF6F601AA54 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6037F00 |
0_2_00007FF6F6037F00 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6019B50 |
0_2_00007FF6F6019B50 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6015B70 |
0_2_00007FF6F6015B70 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6013F90 |
0_2_00007FF6F6013F90 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F603AFBC |
0_2_00007FF6F603AFBC |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6016BE0 |
0_2_00007FF6F6016BE0 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6012C48 |
0_2_00007FF6F6012C48 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F603AC4C |
0_2_00007FF6F603AC4C |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6027854 |
0_2_00007FF6F6027854 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6011884 |
0_2_00007FF6F6011884 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F60218D4 |
0_2_00007FF6F60218D4 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F601B0D8 |
0_2_00007FF6F601B0D8 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6018510 |
0_2_00007FF6F6018510 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6017D30 |
0_2_00007FF6F6017D30 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6041538 |
0_2_00007FF6F6041538 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F603D9D0 |
0_2_00007FF6F603D9D0 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F60181D4 |
0_2_00007FF6F60181D4 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F601CE10 |
0_2_00007FF6F601CE10 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6018DF8 |
0_2_00007FF6F6018DF8 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F603AA30 |
0_2_00007FF6F603AA30 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6014A30 |
0_2_00007FF6F6014A30 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6012220 |
0_2_00007FF6F6012220 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6024224 |
0_2_00007FF6F6024224 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6017650 |
0_2_00007FF6F6017650 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F601D250 |
0_2_00007FF6F601D250 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6019E50 |
0_2_00007FF6F6019E50 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6015240 |
0_2_00007FF6F6015240 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6020A6C |
0_2_00007FF6F6020A6C |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F603EE88 |
0_2_00007FF6F603EE88 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F601E680 |
0_2_00007FF6F601E680 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6016EE4 |
0_2_00007FF6F6016EE4 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F601372C |
0_2_00007FF6F601372C |
Source: osk[1].exe, 00000000.00000002.2831027086.00007FF6F606D000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameCmd.Exej% vs osk[1].exe |
Source: osk[1].exe |
Binary or memory string: OriginalFilenameCmd.Exej% vs osk[1].exe |
Source: C:\Users\user\Desktop\osk[1].exe |
Section loaded: winbrand.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\osk[1].exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: classification engine |
Classification label: clean7.winEXE@2/0@0/0 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F60132B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError, |
0_2_00007FF6F60132B0 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F603FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z, |
0_2_00007FF6F603FB54 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03 |
Source: osk[1].exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\osk[1].exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\osk[1].exe "C:\Users\user\Desktop\osk[1].exe" |
Source: C:\Users\user\Desktop\osk[1].exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: osk[1].exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: osk[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: osk[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: osk[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: osk[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: osk[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: osk[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: osk[1].exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: osk[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: cmd.pdbUGP source: osk[1].exe |
Source: |
Binary string: cmd.pdb source: osk[1].exe |
Source: osk[1].exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: osk[1].exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: osk[1].exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: osk[1].exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: osk[1].exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: osk[1].exe |
Static PE information: 0xD7EE190D [Wed Oct 18 11:03:41 2084 UTC] |
Source: osk[1].exe |
Static PE information: section name: .didat |
Source: C:\Users\user\Desktop\osk[1].exe |
API coverage: 9.2 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6022978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, |
0_2_00007FF6F6022978 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6037B4C FindFirstFileW,FindNextFileW,FindClose, |
0_2_00007FF6F6037B4C |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6011560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, |
0_2_00007FF6F6011560 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F60135B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, |
0_2_00007FF6F60135B8 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F602823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, |
0_2_00007FF6F602823C |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6028B00 DelayLoadFailureHook,LdrResolveDelayLoadedAPI, |
0_2_00007FF6F6028B00 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F60363FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, |
0_2_00007FF6F60363FC |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F601DF60 GetProcessHeap,RtlFreeHeap,_setjmp,longjmp,VirtualFree, |
0_2_00007FF6F601DF60 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F60293B0 SetUnhandledExceptionFilter, |
0_2_00007FF6F60293B0 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6028FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00007FF6F6028FA4 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, |
0_2_00007FF6F60251EC |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, |
0_2_00007FF6F6023140 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, |
0_2_00007FF6F6016EE4 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F6023140 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, |
0_2_00007FF6F6023140 |
Source: C:\Users\user\Desktop\osk[1].exe |
Code function: 0_2_00007FF6F601586C GetVersion, |
0_2_00007FF6F601586C |