Source: Wo0CkmOz64.exe |
ReversingLabs: Detection: 71% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.2% probability |
Source: Wo0CkmOz64.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: Msajjuwub.pdb source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000012F41000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: 74130c7c-3821-4585-8a44-d82d54fb894c<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedMsajjuwub.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.dotnetzip.pdb.compressed source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.dotnetzip.pdb.compressed source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdbSHA256}Lq source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdb source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.dotnetzip.pdb.compressed8 source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp |
Source: global traffic |
TCP traffic: 192.168.2.6:49711 -> 80.76.49.148:7702 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.76.49.148 |
Source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686- |
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-net |
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-netJ |
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-neti |
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/11564914/23354; |
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/14436606/23354 |
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/2152978/23354 |
Source: Wo0CkmOz64.exe, Program.cs |
Large array initialization: Main: array initializer size 849520 |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Code function: 0_2_00007FFD346772D3 |
0_2_00007FFD346772D3 |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Code function: 0_2_00007FFD346743B0 |
0_2_00007FFD346743B0 |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Code function: 0_2_00007FFD346734D3 |
0_2_00007FFD346734D3 |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Code function: 0_2_00007FFD346740FA |
0_2_00007FFD346740FA |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Code function: 0_2_00007FFD346729FA |
0_2_00007FFD346729FA |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Code function: 0_2_00007FFD34673387 |
0_2_00007FFD34673387 |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Code function: 0_2_00007FFD347713D4 |
0_2_00007FFD347713D4 |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Code function: 0_2_00007FFD347705D4 |
0_2_00007FFD347705D4 |
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000012F41000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMsajjuwub.dll" vs Wo0CkmOz64.exe |
Source: Wo0CkmOz64.exe, 00000000.00000000.2130169567.0000000000A54000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameDniblceid.exe" vs Wo0CkmOz64.exe |
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMsajjuwub.dll" vs Wo0CkmOz64.exe |
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Wo0CkmOz64.exe |
Source: Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Wo0CkmOz64.exe |
Source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Wo0CkmOz64.exe |
Source: Wo0CkmOz64.exe |
Binary or memory string: OriginalFilenameDniblceid.exe" vs Wo0CkmOz64.exe |
Source: Wo0CkmOz64.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Wo0CkmOz64.exe, Program.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: classification engine |
Classification label: mal92.troj.evad.winEXE@1/0@0/1 |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Mutant created: NULL |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Mutant created: \Sessions\1\BaseNamedObjects\f1bf4db99626c2f2 |
Source: Wo0CkmOz64.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Wo0CkmOz64.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Wo0CkmOz64.exe |
ReversingLabs: Detection: 71% |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll |
Jump to behavior |
Source: Wo0CkmOz64.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: Wo0CkmOz64.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Wo0CkmOz64.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: Msajjuwub.pdb source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000012F41000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: 74130c7c-3821-4585-8a44-d82d54fb894c<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedMsajjuwub.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.dotnetzip.pdb.compressed source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.dotnetzip.pdb.compressed source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdbSHA256}Lq source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdb source: Wo0CkmOz64.exe, 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3371838921.0000000002BB0000.00000004.08000000.00040000.00000000.sdmp, Wo0CkmOz64.exe, 00000000.00000002.3376338658.000000001336B000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.dotnetzip.pdb.compressed8 source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp |
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: Wo0CkmOz64.exe, Program.cs |
.Net Code: Main System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.Wo0CkmOz64.exe.2bb0000.1.raw.unpack, TypeModel.cs |
.Net Code: TryDeserializeList |
Source: 0.2.Wo0CkmOz64.exe.2bb0000.1.raw.unpack, ListDecorator.cs |
.Net Code: Read |
Source: 0.2.Wo0CkmOz64.exe.2bb0000.1.raw.unpack, TypeSerializer.cs |
.Net Code: CreateInstance |
Source: 0.2.Wo0CkmOz64.exe.2bb0000.1.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateInstance |
Source: 0.2.Wo0CkmOz64.exe.2bb0000.1.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateIfNull |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.1bba0000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.131712f0.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.13281328.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3380383003.000000001BBA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Wo0CkmOz64.exe PID: 2752, type: MEMORYSTR |
Source: Wo0CkmOz64.exe |
Static PE information: 0xC8E3E1A2 [Tue Oct 20 00:00:34 2076 UTC] |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Code function: 0_2_00007FFD3467BDDA push es; iretd |
0_2_00007FFD3467BDDF |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Code function: 0_2_00007FFD34670E55 push ebx; ret |
0_2_00007FFD34670E6A |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Code function: 0_2_00007FFD347739B8 pushad ; retf |
0_2_00007FFD347739B9 |
Source: Wo0CkmOz64.exe |
Static PE information: section name: .text entropy: 7.999487700871465 |
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, Y2lLZcbSYWt9UP9rF7.cs |
High entropy of concatenated method names: 'OPE0mL6RM', 'amhzaWG7D', 'xSK4X3fqaj', 'weU44KmgRV', 'x7X4KrV49G', 'LLS4evHfen', 'z3U4darRRK', 'Nlr4m7yH7I', 'wXL4JU8I4P', 'PZW4Y9DtVn' |
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, AssemblyLoader.cs |
High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'ibP1P0u5rrp3VJbKq47' |
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, gAeOsta063lyJEOOAwv.cs |
High entropy of concatenated method names: 'EDKs6mxP25', 'e2FsLaSBvn', 'Q2ksTi1BIb', 'ND1s5Juqq7', 'sIbs8MwiEE', 'YqVs1vbi9w', 'sbusAYPU96', 'XXxhpSv9Dy', 'v9gsH604Ok', 'l68suULumv' |
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs |
High entropy of concatenated method names: 'SQQ9SLDtcCWavixBCma', 'EO6PV9D7VYR6pQw11Me', 'xmbaCCGGr7', 'NsKJigDPaVWkLp0vcVV', 'rSxuMPDndnPj8eZrpdR', 'QGTD51DWCjyUP69NmQk', 'isk9ngDUqv54HqZOvx8', 'wXgJa5DwvBWhCUB4dHF', 'T4WiVKDZR5U4nsojT33', 'FFHa4ADRcIhMkabc29V' |
Source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, W4sJouaB4OvhNNX2KbG.cs |
High entropy of concatenated method names: 'DHbaFapw8d', 'YBiaPYQbOS', 'nQManmQEs3', 'WnjaWkekEO', 'QE8aUmC191', 'pqeawkLeP0', 'xCIaZAU4y3', 'DdnaR0f1KN', 'xx6abZpsSB', 'i0yakyWOe3' |
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, Y2lLZcbSYWt9UP9rF7.cs |
High entropy of concatenated method names: 'OPE0mL6RM', 'amhzaWG7D', 'xSK4X3fqaj', 'weU44KmgRV', 'x7X4KrV49G', 'LLS4evHfen', 'z3U4darRRK', 'Nlr4m7yH7I', 'wXL4JU8I4P', 'PZW4Y9DtVn' |
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, AssemblyLoader.cs |
High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'ibP1P0u5rrp3VJbKq47' |
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, gAeOsta063lyJEOOAwv.cs |
High entropy of concatenated method names: 'EDKs6mxP25', 'e2FsLaSBvn', 'Q2ksTi1BIb', 'ND1s5Juqq7', 'sIbs8MwiEE', 'YqVs1vbi9w', 'sbusAYPU96', 'XXxhpSv9Dy', 'v9gsH604Ok', 'l68suULumv' |
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, ixTk49fcGhAJ2sgoDPl.cs |
High entropy of concatenated method names: 'SQQ9SLDtcCWavixBCma', 'EO6PV9D7VYR6pQw11Me', 'xmbaCCGGr7', 'NsKJigDPaVWkLp0vcVV', 'rSxuMPDndnPj8eZrpdR', 'QGTD51DWCjyUP69NmQk', 'isk9ngDUqv54HqZOvx8', 'wXgJa5DwvBWhCUB4dHF', 'T4WiVKDZR5U4nsojT33', 'FFHa4ADRcIhMkabc29V' |
Source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, W4sJouaB4OvhNNX2KbG.cs |
High entropy of concatenated method names: 'DHbaFapw8d', 'YBiaPYQbOS', 'nQManmQEs3', 'WnjaWkekEO', 'QE8aUmC191', 'pqeawkLeP0', 'xCIaZAU4y3', 'DdnaR0f1KN', 'xx6abZpsSB', 'i0yakyWOe3' |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Memory allocated: 1080000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Memory allocated: 1AC10000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Window / User API: threadDelayed 3907 |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Window / User API: threadDelayed 6028 |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe TID: 4900 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe TID: 4156 |
Thread sleep count: 3907 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe TID: 4156 |
Thread sleep count: 6028 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe TID: 4900 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem |
Source: Wo0CkmOz64.exe, 00000000.00000002.3371913837.0000000002C11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: model0Microsoft|VMWare|Virtual |
Source: Wo0CkmOz64.exe, 00000000.00000002.3379823672.000000001BAC0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Queries volume information: C:\Users\user\Desktop\Wo0CkmOz64.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Wo0CkmOz64.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.1b690000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.1b690000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.130312b8.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.131712f0.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.12fdae80.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3379202075.000000001B690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3376338658.0000000012F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.1b690000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.1b690000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.130312b8.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.130312b8.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.131712f0.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.12fdae80.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Wo0CkmOz64.exe.131712f0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3379202075.000000001B690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3376338658.0000000012F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3376338658.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |