Source: XShSI2OXaC.exe |
ReversingLabs: Detection: 40% |
Source: XShSI2OXaC.exe |
Virustotal: Detection: 8% |
Perma Link |
Source: XShSI2OXaC.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\One |
Jump to behavior |
Source: XShSI2OXaC.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_00405B6C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405B6C |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_004028D5 FindFirstFileW, |
0_2_004028D5 |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_0040679D FindFirstFileW,FindClose, |
0_2_0040679D |
Source: XShSI2OXaC.exe |
String found in binary or memory: http://crl.certum.pl/ctnca.crl0k |
Source: XShSI2OXaC.exe |
String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l |
Source: XShSI2OXaC.exe |
String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o |
Source: XShSI2OXaC.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: XShSI2OXaC.exe |
String found in binary or memory: http://repository.certum.pl/ctnca.cer09 |
Source: XShSI2OXaC.exe |
String found in binary or memory: http://repository.certum.pl/ctnca2.cer09 |
Source: XShSI2OXaC.exe |
String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0 |
Source: XShSI2OXaC.exe |
String found in binary or memory: http://subca.ocsp-certum.com01 |
Source: XShSI2OXaC.exe |
String found in binary or memory: http://subca.ocsp-certum.com02 |
Source: XShSI2OXaC.exe |
String found in binary or memory: http://subca.ocsp-certum.com05 |
Source: XShSI2OXaC.exe |
String found in binary or memory: http://www.certum.pl/CPS0 |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_00405601 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_00405601 |
Source: XShSI2OXaC.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_0040350D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040350D |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_00406B64 |
0_2_00406B64 |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_73791B5F |
0_2_73791B5F |
Source: XShSI2OXaC.exe |
Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Process Stats: CPU usage > 98% |
Source: XShSI2OXaC.exe |
ReversingLabs: Detection: 40% |
Source: XShSI2OXaC.exe |
Virustotal: Detection: 8% |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
File read: C:\Users\user\Desktop\XShSI2OXaC.exe |
Jump to behavior |
Source: XShSI2OXaC.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_0040350D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040350D |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
File created: C:\Users\user\AppData\Local\Temp\nsyA070.tmp |
Jump to behavior |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Contentness\Filialbestyrerens\Talkability\Platybrachycephalous\Plugin_Status.ini |
Jump to behavior |
Source: classification engine |
Classification label: mal60.troj.evad.winEXE@1/6@0/0 |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_00402171 CoCreateInstance, |
0_2_00402171 |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_004048B8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
0_2_004048B8 |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\One |
Jump to behavior |
Source: XShSI2OXaC.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Yara match |
File source: 00000000.00000002.777436198.0000000003220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_73791B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_73791B5F |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
File created: C:\Users\user\AppData\Local\Temp\nszA331.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
RDTSC instruction interceptor: First address: 0000000003221D6F second address: 0000000003221D6F instructions: 0x00000000 rdtsc 0x00000002 test ch, 00000040h 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F6E649CF979h 0x0000000d test cx, bx 0x00000010 inc ebp 0x00000011 cmp ax, cx 0x00000014 inc ebx 0x00000015 jmp 00007F6E649CFB35h 0x0000001a test bx, dx 0x0000001d rdtsc |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_00405B6C CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405B6C |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_004028D5 FindFirstFileW, |
0_2_004028D5 |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_0040679D FindFirstFileW,FindClose, |
0_2_0040679D |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_73791B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_73791B5F |
Source: C:\Users\user\Desktop\XShSI2OXaC.exe |
Code function: 0_2_0040350D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_0040350D |