Click to jump to signature section
Source: xm393ns4.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: xm393ns4.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1Host: Z4uofnIZILkJsb.q91.latUser-Agent: If you would like to opt out, please fill out this form: https://forms.office.com/r/i1h9pFXbKAHistory: Z4uofnIZILkJsbAccept-Encoding: gzip |
Source: global traffic | DNS traffic detected: DNS query: Z4uofnIZILkJsb.q91.lat |
Source: xm393ns4.exe, 00000000.00000002.601512879.000000000AE12000.00000004.00001000.00020000.00000000.sdmp | String found in binary or memory: http://Z4uofnIZILkJsb.q91.lat |
Source: xm393ns4.exe, 00000000.00000002.601512879.000000000AE12000.00000004.00001000.00020000.00000000.sdmp | String found in binary or memory: http://Z4uofnIZILkJsb.q91.latZ4uofnIZILkJsb.q91.lat:80REQUEST_METHODtcpZ4uofnIZILkJsb.q91.latiphlpap |
Source: xm393ns4.exe, 4uof-MjWrlY2P.exe.0.dr | String found in binary or memory: http://historycmd.exefloat32float64UpgradeReferer |
Source: xm393ns4.exe, 4uof-MjWrlY2P.exe.0.dr | String found in binary or memory: https://forms.office.com/r/i1h9pFXbKA |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Users\user\Desktop\xm393ns4.exe | Memory allocated: 770B0000 page execute and read and write | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Memory allocated: 770B0000 page execute and read and write | Jump to behavior |
Source: xm393ns4.exe, 00000000.00000003.332644889.0000000000320000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns4.exe |
Source: xm393ns4.exe, 00000000.00000002.601178412.000000000031A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns4.exe |
Source: xm393ns4.exe, 00000000.00000003.338631987.0000000000317000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameCmd.Exej% vs xm393ns4.exe |
Source: xm393ns4.exe, 00000000.00000003.332626974.000000000031D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamesysinfo.exej% vs xm393ns4.exe |
Source: xm393ns4.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal48.evad.winEXE@6/2@1/1 |
Source: C:\Users\user\Desktop\xm393ns4.exe | File created: C:\Users\user\Desktop\4uof-MjWrlY2P.exe | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Console Write: ........................................(.P..... ...............$.......-...............#....................................................... | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Console Write: ................@....`..........Z.4.u.o.f.n.I.Z.I.L.k.J.s.b...q.9.1...l.a.t........s............................h...............#p.s............ | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Console Write: ................@....`..........S.t.a.r.t.i.n.g. .k.e.y.l.o.g.g.e.r.............................P..J............X.$.....&....................... | Jump to behavior |
Source: xm393ns4.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\xm393ns4.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: xm393ns4.exe | String found in binary or memory: /usr/local/go/src/net/addrselect.go |
Source: C:\Users\user\Desktop\xm393ns4.exe | File read: C:\Users\user\Desktop\xm393ns4.exe | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\xm393ns4.exe "C:\Users\user\Desktop\xm393ns4.exe" | |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv | |
Source: C:\Windows\SysWOW64\systeminfo.exe | Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding | |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns4.exe" | |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns4.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Section loaded: powrprof.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: framedynos.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: wbemcomn2.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: bcrypt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: rpcrtremote.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Section loaded: ntdsapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: fastprox.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: wbemcomn2.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: bcrypt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: ntdsapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: ncobjapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: rpcrtremote.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe | Section loaded: esscli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: winbrand.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv |
Source: xm393ns4.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: xm393ns4.exe | Static file information: File size 5152256 > 1048576 |
Source: xm393ns4.exe | Static PE information: Raw size of .text is bigger than: 0x100000 < 0x274c00 |
Source: xm393ns4.exe | Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21c800 |
Source: xm393ns4.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: xm393ns4.exe | Static PE information: section name: .symtab |
Source: 4uof-MjWrlY2P.exe.0.dr | Static PE information: section name: .symtab |
Source: C:\Users\user\Desktop\xm393ns4.exe | File created: C:\Users\user\Desktop\4uof-MjWrlY2P.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter |
Source: C:\Users\user\Desktop\xm393ns4.exe | Dropped PE file which has not been started: C:\Users\user\Desktop\4uof-MjWrlY2P.exe | Jump to dropped file |
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 892 | Thread sleep time: -60000s >= -30000s | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 892 | Thread sleep time: -60000s >= -30000s | Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe TID: 3096 | Thread sleep time: -180000s >= -30000s | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem |
Source: C:\Windows\SysWOW64\systeminfo.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo /fo csv | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "del C:\Users\user\Desktop\xm393ns4.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\xm393ns4.exe | Queries volume information: C:\Users\user\Desktop\4uof-MjWrlY2P.exe VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\systeminfo.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |