Source: wr.exe |
ReversingLabs: Detection: 87% |
Source: wr.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 4x nop then mov rsi, r9 |
0_2_005DB2A0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 4x nop then mov rdi, 0000800000000000h |
0_2_005D9DE0 |
Source: unknown |
DNS traffic detected: queries for: www.dblikes.top |
Source: wr.exe, wr.exe, 00000000.00000002.2035454107.00000000005B1000.00000040.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://www.dblikes.top/winconsistent |
Source: wr.exe |
String found in binary or memory: https://www.sysinternals.com0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_00617300 SetWaitableTimer,SetWaitableTimer,NtWaitForSingleObject, |
0_2_00617300 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_006172C0 NtWaitForSingleObject, |
0_2_006172C0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005E4080 |
0_2_005E4080 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005B6160 |
0_2_005B6160 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005D41E0 |
0_2_005D41E0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_00605240 |
0_2_00605240 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005DA260 |
0_2_005DA260 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_00628220 |
0_2_00628220 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005D72C0 |
0_2_005D72C0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_0060F2A0 |
0_2_0060F2A0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005C9280 |
0_2_005C9280 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005DB2A0 |
0_2_005DB2A0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005F7300 |
0_2_005F7300 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005FF3E0 |
0_2_005FF3E0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005CD380 |
0_2_005CD380 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_00626440 |
0_2_00626440 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005ED460 |
0_2_005ED460 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_006124A9 |
0_2_006124A9 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005BC4A0 |
0_2_005BC4A0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005F04A0 |
0_2_005F04A0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005E7500 |
0_2_005E7500 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005DC5A0 |
0_2_005DC5A0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005FA660 |
0_2_005FA660 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005C5600 |
0_2_005C5600 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005D6600 |
0_2_005D6600 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005B6620 |
0_2_005B6620 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005D1740 |
0_2_005D1740 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005C4860 |
0_2_005C4860 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005C98E0 |
0_2_005C98E0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005B5880 |
0_2_005B5880 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005FDAA0 |
0_2_005FDAA0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005EEBC0 |
0_2_005EEBC0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005BDBA0 |
0_2_005BDBA0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_00625C00 |
0_2_00625C00 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005F3C20 |
0_2_005F3C20 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_00627CE0 |
0_2_00627CE0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005C9CC0 |
0_2_005C9CC0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_00606C80 |
0_2_00606C80 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005E7D60 |
0_2_005E7D60 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005D9DE0 |
0_2_005D9DE0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005B9E20 |
0_2_005B9E20 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005EAE20 |
0_2_005EAE20 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005EDEA0 |
0_2_005EDEA0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005CFF60 |
0_2_005CFF60 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005BCFE0 |
0_2_005BCFE0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: String function: 005FE620 appears 37 times |
|
Source: C:\Users\user\Desktop\wr.exe |
Code function: String function: 005E8320 appears 54 times |
|
Source: C:\Users\user\Desktop\wr.exe |
Code function: String function: 005E6A60 appears 31 times |
|
Source: C:\Users\user\Desktop\wr.exe |
Code function: String function: 005E6960 appears 564 times |
|
Source: C:\Users\user\Desktop\wr.exe |
Code function: String function: 005E8BA0 appears 563 times |
|
Source: wr.exe |
Static PE information: invalid certificate |
Source: classification engine |
Classification label: mal60.evad.winEXE@1/0@2/0 |
Source: C:\Users\user\Desktop\wr.exe |
Mutant created: \Sessions\1\BaseNamedObjects\abc20259991 |
Source: C:\Users\user\Desktop\wr.exe |
File opened: C:\Windows\system32\86dbeb1e3f4e7a98ad6a93ba86f929747d19ef3c7cdf7a0145acd6db2fd830a1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: wr.exe |
ReversingLabs: Detection: 87% |
Source: wr.exe |
String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go |
Source: wr.exe |
String found in binary or memory: C:/Users/Sroc/go/pkg/mod/golang.org/x/sys@v0.17.0/windows/svc/eventlog/install.go |
Source: C:\Users\user\Desktop\wr.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: wr.exe |
Static file information: File size 4445584 > 1048576 |
Source: wr.exe |
Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x43aa00 |
Source: wr.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_00D9A7C0 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,ExitProcess, |
0_2_00D9A7C0 |
Source: wr.exe |
Static PE information: section name: UPX2 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\wr.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_006153E0 rdtscp |
0_2_006153E0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005E19C0 GetProcessAffinityMask,GetSystemInfo, |
0_2_005E19C0 |
Source: wr.exe, 00000000.00000002.2039272794.000002685E15C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\wr.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\wr.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_006153E0 Start: 006153E9 End: 006153FF |
0_2_006153E0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_006153E0 rdtscp |
0_2_006153E0 |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_00D9A7C0 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,ExitProcess, |
0_2_00D9A7C0 |
Source: C:\Users\user\Desktop\wr.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\wr.exe |
Code function: 0_2_005F9980 RtlAddVectoredExceptionHandler,RtlAddVectoredContinueHandler,RtlAddVectoredContinueHandler,SetUnhandledExceptionFilter, |
0_2_005F9980 |