Source: xm393ns4.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: xm393ns4.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: Z4uofnIZILkJsb.q91.latUser-Agent: If you would like to opt out, please fill out this form: https://forms.office.com/r/i1h9pFXbKAHistory: Z4uofnIZILkJsbAccept-Encoding: gzip |
Source: global traffic |
DNS traffic detected: DNS query: Z4uofnIZILkJsb.q91.lat |
Source: xm393ns4.exe, 00000000.00000002.601512879.000000000AE12000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://Z4uofnIZILkJsb.q91.lat |
Source: xm393ns4.exe, 00000000.00000002.601512879.000000000AE12000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://Z4uofnIZILkJsb.q91.latZ4uofnIZILkJsb.q91.lat:80REQUEST_METHODtcpZ4uofnIZILkJsb.q91.latiphlpap |
Source: xm393ns4.exe, 4uof-MjWrlY2P.exe.0.dr |
String found in binary or memory: http://historycmd.exefloat32float64UpgradeReferer |
Source: xm393ns4.exe, 4uof-MjWrlY2P.exe.0.dr |
String found in binary or memory: https://forms.office.com/r/i1h9pFXbKA |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: xm393ns4.exe, 00000000.00000003.332644889.0000000000320000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns4.exe |
Source: xm393ns4.exe, 00000000.00000002.601178412.000000000031A000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns4.exe |
Source: xm393ns4.exe, 00000000.00000003.338631987.0000000000317000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns4.exe |
Source: xm393ns4.exe, 00000000.00000003.332626974.000000000031D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns4.exe |
Source: xm393ns4.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal48.evad.winEXE@6/2@1/1 |
Source: C:\Users\user\Desktop\xm393ns4.exe |
File created: C:\Users\user\Desktop\4uof-MjWrlY2P.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Console Write: ........................................(.P..... ...............$.......-...............#....................................................... |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Console Write: ................@....`..........Z.4.u.o.f.n.I.Z.I.L.k.J.s.b...q.9.1...l.a.t........s............................h...............#p.s............ |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Console Write: ................@....`..........S.t.a.r.t.i.n.g. .k.e.y.l.o.g.g.e.r.............................P..J............X.$.....&....................... |
Jump to behavior |
Source: xm393ns4.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: xm393ns4.exe |
String found in binary or memory: /usr/local/go/src/net/addrselect.go |
Source: C:\Users\user\Desktop\xm393ns4.exe |
File read: C:\Users\user\Desktop\xm393ns4.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\xm393ns4.exe "C:\Users\user\Desktop\xm393ns4.exe" |
|
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv |
|
Source: C:\Windows\SysWOW64\systeminfo.exe |
Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding |
|
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns4.exe" |
|
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns4.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: framedynos.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: wbemcomn2.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: bcrypt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Section loaded: ntdsapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: fastprox.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: wbemcomn2.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: bcrypt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: ntdsapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: ncobjapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: esscli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: winbrand.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv |
Source: xm393ns4.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: xm393ns4.exe |
Static file information: File size 5152256 > 1048576 |
Source: xm393ns4.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x274c00 |
Source: xm393ns4.exe |
Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21c800 |
Source: xm393ns4.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: xm393ns4.exe |
Static PE information: section name: .symtab |
Source: 4uof-MjWrlY2P.exe.0.dr |
Static PE information: section name: .symtab |
Source: C:\Users\user\Desktop\xm393ns4.exe |
File created: C:\Users\user\Desktop\4uof-MjWrlY2P.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Dropped PE file which has not been started: C:\Users\user\Desktop\4uof-MjWrlY2P.exe |
Jump to dropped file |
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 892 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 892 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe TID: 3096 |
Thread sleep time: -180000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem |
Source: C:\Windows\SysWOW64\systeminfo.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns4.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe |
Queries volume information: C:\Users\user\Desktop\4uof-MjWrlY2P.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |