Source: URGENT ORDER.exe |
ReversingLabs: Detection: 41% |
Source: URGENT ORDER.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
HTTP traffic: GET / HTTP/1.1 Host: www.google.com Connection: Keep-Alive |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
HTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj029XrK4z0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj029XrK4z0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.com |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj029XrK4z0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.com |
Source: global traffic |
DNS traffic detected: DNS query: www.google.com |
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000341B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: URGENT ORDER.exe |
String found in binary or memory: http://www.google.com |
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp, URGENT ORDER.exe, 00000000.00000002.2109504607.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, URGENT ORDER.exe, 00000000.00000002.2109504607.000000000341B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.google.com/ |
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8N_4ta5bxG1Zr4bsbyeQXOxPM24IDb0DZSiSywOAavj0 |
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjcGLPerbEGIjDUAttsuaejjF-8 |
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000341B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.google.com/t |
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.google.comd |
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp |
Source: URGENT ORDER.exe, 00000000.00000002.2109504607.000000000342F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/recaptcha/api.js |
Source: initial sample |
Static PE information: Filename: URGENT ORDER.exe |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Code function: 0_2_01546D58 |
0_2_01546D58 |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Code function: 0_2_01544D00 |
0_2_01544D00 |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Code function: 0_2_0154A8D0 |
0_2_0154A8D0 |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Code function: 0_2_01547C38 |
0_2_01547C38 |
Source: URGENT ORDER.exe, 00000000.00000002.2109013393.00000000015FE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs URGENT ORDER.exe |
Source: classification engine |
Classification label: mal76.evad.winEXE@1/1@1/1 |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\URGENT ORDER.exe.log |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Mutant created: NULL |
Source: URGENT ORDER.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: URGENT ORDER.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80% |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: URGENT ORDER.exe |
ReversingLabs: Detection: 41% |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: rasapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: rtutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll |
Jump to behavior |
Source: URGENT ORDER.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: URGENT ORDER.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: URGENT ORDER.exe, Jm1s.cs |
.Net Code: NewLateBinding.LateCall(objectValue3, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true) |
Source: URGENT ORDER.exe, Jm1s.cs |
.Net Code: r2GY System.Reflection.Assembly.Load(byte[]) |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Code function: 0_2_015462C8 push esp; ret |
0_2_015462D1 |
Source: URGENT ORDER.exe, Gb7.cs |
High entropy of concatenated method names: 'Ri', 'o7', 'q9', 'n6', 'a0', 'g6', 'Gy', 'Ki', 'By', 'Na' |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Memory allocated: 1540000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Memory allocated: 33B0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Memory allocated: 17F0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Thread delayed: delay time: 600000 |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Thread delayed: delay time: 599889 |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Thread delayed: delay time: 599780 |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Window / User API: threadDelayed 368 |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620 |
Thread sleep time: -2767011611056431s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620 |
Thread sleep time: -600000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620 |
Thread sleep time: -599889s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6484 |
Thread sleep count: 368 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 6620 |
Thread sleep time: -599780s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 380 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe TID: 5876 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Thread delayed: delay time: 600000 |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Thread delayed: delay time: 599889 |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Thread delayed: delay time: 599780 |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: URGENT ORDER.exe, 00000000.00000002.2109013393.0000000001680000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Code function: 0_2_01544528 LdrInitializeThunk, |
0_2_01544528 |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Queries volume information: C:\Users\user\Desktop\URGENT ORDER.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\URGENT ORDER.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |