Click to jump to signature section
Source: xm393ns0.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: xm393ns0.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\xm393ns0.exe | DNS query: LjZQsnIZIOXO7P.db0.xyz |
Source: Joe Sandbox View | ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1Host: LjZQsnIZIOXO7P.db0.xyzUser-Agent: If you would like to opt out, please fill out this form: https://forms.office.com/r/i1h9pFXbKAHistory: LjZQsnIZIOXO7PAccept-Encoding: gzip |
Source: global traffic | DNS traffic detected: DNS query: LjZQsnIZIOXO7P.db0.xyz |
Source: xm393ns0.exe, 00000000.00000002.604617157.000000000AC9E000.00000004.00001000.00020000.00000000.sdmp | String found in binary or memory: http://LjZQsnIZIOXO7P.db0.xyz |
Source: xm393ns0.exe, 00000000.00000002.604617157.000000000AC9E000.00000004.00001000.00020000.00000000.sdmp | String found in binary or memory: http://LjZQsnIZIOXO7P.db0.xyzLjZQsnIZIOXO7P.db0.xyz:80REQUEST_METHODtcpLjZQsnIZIOXO7P.db0.xyziphlpap |
Source: xm393ns0.exe, jZQs-eo6N153d.exe.0.dr | String found in binary or memory: http://historycmd.exefloat32float64UpgradeReferer |
Source: xm393ns0.exe, jZQs-eo6N153d.exe.0.dr | String found in binary or memory: https://forms.office.com/r/i1h9pFXbKA |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Users\user\Desktop\xm393ns0.exe | Memory allocated: 770B0000 page execute and read and write | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Memory allocated: 770B0000 page execute and read and write | Jump to behavior |
Source: xm393ns0.exe, 00000000.00000002.603623309.00000000002FA000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns0.exe |
Source: xm393ns0.exe, 00000000.00000003.335755561.0000000000300000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns0.exe |
Source: xm393ns0.exe, 00000000.00000003.340319298.00000000002F7000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns0.exe |
Source: xm393ns0.exe, 00000000.00000003.335719938.00000000002FD000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns0.exe |
Source: xm393ns0.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal52.troj.evad.winEXE@6/2@1/1 |
Source: C:\Users\user\Desktop\xm393ns0.exe | File created: C:\Users\user\Desktop\jZQs-eo6N153d.exe | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Console Write: ........................................(.P.....`.......8...............................#....................................................... | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Console Write: ................@....`..........L.j.Z.Q.s.n.I.Z.I.O.X.O.7.P...d.b.0...x.y.z........s............................h...............#p.s............ | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Console Write: ................@....`..........S.t.a.r.t.i.n.g. .k.e.y.l.o.g.g.e.r.............................P.DJ............X.H+....&....................... | Jump to behavior |
Source: xm393ns0.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\xm393ns0.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: xm393ns0.exe | String found in binary or memory: /usr/local/go/src/net/addrselect.go |
Source: C:\Users\user\Desktop\xm393ns0.exe | File read: C:\Users\user\Desktop\xm393ns0.exe | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\xm393ns0.exe "C:\Users\user\Desktop\xm393ns0.exe" | |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv | |
Source: C:\Windows\SysWOW64\systeminfo.exe | Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding | |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns0.exe" | |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns0.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Section loaded: powrprof.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: framedynos.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: wbemcomn2.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: bcrypt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: rpcrtremote.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: ntdsapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: fastprox.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: wbemcomn2.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: bcrypt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: ntdsapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: ncobjapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: rpcrtremote.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: esscli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: winbrand.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv |
Source: xm393ns0.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: xm393ns0.exe | Static file information: File size 5152256 > 1048576 |
Source: xm393ns0.exe | Static PE information: Raw size of .text is bigger than: 0x100000 < 0x274c00 |
Source: xm393ns0.exe | Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21c800 |
Source: xm393ns0.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: xm393ns0.exe | Static PE information: section name: .symtab |
Source: jZQs-eo6N153d.exe.0.dr | Static PE information: section name: .symtab |
Source: C:\Users\user\Desktop\xm393ns0.exe | File created: C:\Users\user\Desktop\jZQs-eo6N153d.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter |
Source: C:\Users\user\Desktop\xm393ns0.exe | Dropped PE file which has not been started: C:\Users\user\Desktop\jZQs-eo6N153d.exe | Jump to dropped file |
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 2588 | Thread sleep time: -120000s >= -30000s | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 2588 | Thread sleep time: -60000s >= -30000s | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe TID: 1148 | Thread sleep time: -240000s >= -30000s | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Process information queried: ProcessInformation | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns0.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns0.exe | Queries volume information: C:\Users\user\Desktop\jZQs-eo6N153d.exe VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |