Source: xm393ns0.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: xm393ns0.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\xm393ns0.exe |
DNS query: LjZQsnIZIOXO7P.db0.xyz |
Source: Joe Sandbox View |
ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: LjZQsnIZIOXO7P.db0.xyzUser-Agent: If you would like to opt out, please fill out this form: https://forms.office.com/r/i1h9pFXbKAHistory: LjZQsnIZIOXO7PAccept-Encoding: gzip |
Source: global traffic |
DNS traffic detected: DNS query: LjZQsnIZIOXO7P.db0.xyz |
Source: xm393ns0.exe, 00000000.00000002.604617157.000000000AC9E000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://LjZQsnIZIOXO7P.db0.xyz |
Source: xm393ns0.exe, 00000000.00000002.604617157.000000000AC9E000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://LjZQsnIZIOXO7P.db0.xyzLjZQsnIZIOXO7P.db0.xyz:80REQUEST_METHODtcpLjZQsnIZIOXO7P.db0.xyziphlpap |
Source: xm393ns0.exe, jZQs-eo6N153d.exe.0.dr |
String found in binary or memory: http://historycmd.exefloat32float64UpgradeReferer |
Source: xm393ns0.exe, jZQs-eo6N153d.exe.0.dr |
String found in binary or memory: https://forms.office.com/r/i1h9pFXbKA |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: xm393ns0.exe, 00000000.00000002.603623309.00000000002FA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns0.exe |
Source: xm393ns0.exe, 00000000.00000003.335755561.0000000000300000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns0.exe |
Source: xm393ns0.exe, 00000000.00000003.340319298.00000000002F7000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns0.exe |
Source: xm393ns0.exe, 00000000.00000003.335719938.00000000002FD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns0.exe |
Source: xm393ns0.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal52.troj.evad.winEXE@6/2@1/1 |
Source: C:\Users\user\Desktop\xm393ns0.exe |
File created: C:\Users\user\Desktop\jZQs-eo6N153d.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Console Write: ........................................(.P.....`.......8...............................#....................................................... |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Console Write: ................@....`..........L.j.Z.Q.s.n.I.Z.I.O.X.O.7.P...d.b.0...x.y.z........s............................h...............#p.s............ |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Console Write: ................@....`..........S.t.a.r.t.i.n.g. .k.e.y.l.o.g.g.e.r.............................P.DJ............X.H+....&....................... |
Jump to behavior |
Source: xm393ns0.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: xm393ns0.exe |
String found in binary or memory: /usr/local/go/src/net/addrselect.go |
Source: C:\Users\user\Desktop\xm393ns0.exe |
File read: C:\Users\user\Desktop\xm393ns0.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\xm393ns0.exe "C:\Users\user\Desktop\xm393ns0.exe" |
|
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv |
|
Source: C:\Windows\SysWOW64\systeminfo.exe |
Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding |
|
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns0.exe" |
|
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns0.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: framedynos.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: wbemcomn2.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: bcrypt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: ntdsapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: fastprox.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: wbemcomn2.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: bcrypt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: ntdsapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: ncobjapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: esscli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: winbrand.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv |
Source: xm393ns0.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: xm393ns0.exe |
Static file information: File size 5152256 > 1048576 |
Source: xm393ns0.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x274c00 |
Source: xm393ns0.exe |
Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21c800 |
Source: xm393ns0.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: xm393ns0.exe |
Static PE information: section name: .symtab |
Source: jZQs-eo6N153d.exe.0.dr |
Static PE information: section name: .symtab |
Source: C:\Users\user\Desktop\xm393ns0.exe |
File created: C:\Users\user\Desktop\jZQs-eo6N153d.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Dropped PE file which has not been started: C:\Users\user\Desktop\jZQs-eo6N153d.exe |
Jump to dropped file |
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 2588 |
Thread sleep time: -120000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 2588 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe TID: 1148 |
Thread sleep time: -240000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns0.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe |
Queries volume information: C:\Users\user\Desktop\jZQs-eo6N153d.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |