Source: conhost[1].exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: |
Binary string: conhost.pdbUGP source: conhost[1].exe |
Source: |
Binary string: conhost.pdb source: conhost[1].exe |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E08C0390 OpenClipboard,EnableScrollBar, |
0_2_00007FF7E08C0390 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E08C0360 SetClipboardData, |
0_2_00007FF7E08C0360 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E087532C GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_00007FF7E087532C |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E08C0370 GetClipboardData, |
0_2_00007FF7E08C0370 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E086E17C _Init_thread_footer,NtOpenFile,NtOpenFile, |
0_2_00007FF7E086E17C |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07FA4A0 GetWindowLongPtrW,NtdllDefWindowProc_W,SetWindowLongPtrW, |
0_2_00007FF7E07FA4A0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07FA540 EnterCriticalSection,NtdllDefWindowProc_W,LeaveCriticalSection,GetWindowRect,IsRectEmpty,GetWindowLongW,SetDlgItemTextW,SetWindowPos,IsIconic,MonitorFromRect,SetWindowPos,FreeLibrary,NtdllDefWindowProc_W,GetSystemMetrics,SetActiveWindow,SendMessageTimeoutW,NotifyWinEvent, |
0_2_00007FF7E07FA540 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07FA43C WideCharToMultiByte,NtdllDefWindowProc_W, |
0_2_00007FF7E07FA43C |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E086E9E0 GetLastError,FreeLibrary,memset,NtdllDefWindowProc_W,RegisterClassW,CreateWindowExW,GetLastError, |
0_2_00007FF7E086E9E0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E08771C8 RtlCreateUnicodeString,AlpcInitializeMessageAttribute,NtAlpcConnectPort,AlpcGetMessageAttribute,AlpcGetMessageAttribute,NtAlpcQueryInformationMessage,memset, |
0_2_00007FF7E08771C8 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E08094D4 NtQueryVolumeInformationFile, |
0_2_00007FF7E08094D4 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0877A68 NtAlpcSendWaitReceivePort, |
0_2_00007FF7E0877A68 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E08024C0: memset,DeviceIoControl,_Init_thread_footer,default_delete, |
0_2_00007FF7E08024C0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E08001E0 |
0_2_00007FF7E08001E0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E086A2D4 |
0_2_00007FF7E086A2D4 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07FA540 |
0_2_00007FF7E07FA540 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07F4890 |
0_2_00007FF7E07F4890 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07F3840 |
0_2_00007FF7E07F3840 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07F4030 |
0_2_00007FF7E07F4030 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E088A198 |
0_2_00007FF7E088A198 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E08625E0 |
0_2_00007FF7E08625E0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0874554 |
0_2_00007FF7E0874554 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E088A910 |
0_2_00007FF7E088A910 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0844964 |
0_2_00007FF7E0844964 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E084EB40 |
0_2_00007FF7E084EB40 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E082ACA8 |
0_2_00007FF7E082ACA8 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E087EC6C |
0_2_00007FF7E087EC6C |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0874DE8 |
0_2_00007FF7E0874DE8 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E088AD80 |
0_2_00007FF7E088AD80 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07FCFA0 |
0_2_00007FF7E07FCFA0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0801250 |
0_2_00007FF7E0801250 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E081728C |
0_2_00007FF7E081728C |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E084D5C4 |
0_2_00007FF7E084D5C4 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0883544 |
0_2_00007FF7E0883544 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07FF690 |
0_2_00007FF7E07FF690 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E087D7C4 |
0_2_00007FF7E087D7C4 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07FD7F0 |
0_2_00007FF7E07FD7F0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0801780 |
0_2_00007FF7E0801780 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0809960 |
0_2_00007FF7E0809960 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E086FAF0 |
0_2_00007FF7E086FAF0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07FFCB0 |
0_2_00007FF7E07FFCB0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0843FE0 |
0_2_00007FF7E0843FE0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0875F30 |
0_2_00007FF7E0875F30 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E084E0F8 |
0_2_00007FF7E084E0F8 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: String function: 00007FF7E07F9A04 appears 387 times |
|
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: String function: 00007FF7E08296D4 appears 68 times |
|
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: String function: 00007FF7E082CFCC appears 159 times |
|
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: String function: 00007FF7E082D614 appears 148 times |
|
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: String function: 00007FF7E08132F8 appears 175 times |
|
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: String function: 00007FF7E080F780 appears 54 times |
|
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: String function: 00007FF7E07F61E4 appears 141 times |
|
Source: conhost[1].exe |
Binary or memory string: OriginalFilename vs conhost[1].exe |
Source: conhost[1].exe, 00000000.00000002.2850178107.00007FF7E08B6000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameCONHOST.EXEj% vs conhost[1].exe |
Source: conhost[1].exe, 00000000.00000000.1596244904.00007FF7E08C1000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameCONHOST.EXEj% vs conhost[1].exe |
Source: conhost[1].exe |
Binary or memory string: OriginalFilenameCONHOST.EXEj% vs conhost[1].exe |
Source: C:\Users\user\Desktop\conhost[1].exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: winbrand.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: conhost[1].exe |
Binary string: \Device\ConDrv\Serveronecore\windows\core\console\open\src\server\winntcontrol.cpponecore\windows\core\console\open\src\interactivity\base\servicelocator.cpponecore\windows\core\console\open\src\interactivity\base\hostsignalinputthread.cppHost Signal Handler Threadonecore\windows\core\console\open\src\interactivity\win32\uiatextrange.cpponecore\windows\core\console\open\src\interactivity\win32\accessibilitynotifier.cpponecore\windows\core\console\open\src\interactivity\win32\windowmetrics.cpponecore\windows\core\console\open\src\interactivity\win32\systemconfigurationprovider.cpponecore\windows\core\console\open\src\interactivity\win32\window.cpponecore\windows\core\console\open\src\interactivity\win32\windowio.cpponecore\windows\core\console\open\src\interactivity\win32\icon.cpponecore\windows\core\console\open\src\interactivity\win32\windowuiaprovider.cpponecore\windows\core\console\open\src\interactivity\win32\windowproc.cpponecore\windows\core\console\open\src\interactivity\win32\clipboard.cpponecore\windows\core\console\open\src\interactivity\win32\screeninfouiaprovider.cpponecore\windows\core\console\open\src\types\viewport.cpponecore\windows\core\console\open\src\types\convert.cpponecore\windows\core\console\open\src\types\utils.cpp |
Source: classification engine |
Classification label: clean9.winEXE@3/0@0/0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E080C444 CoInitializeEx,CoCreateInstance,CoCreateInstance, |
0_2_00007FF7E080C444 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0849608 FindResourceExW,LoadResource,LockResource,memmove, |
0_2_00007FF7E0849608 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03 |
Source: conhost[1].exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\conhost[1].exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: conhost[1].exe |
String found in binary or memory: <!--StartFragment --> |
Source: conhost[1].exe |
String found in binary or memory: <!--StartFragment --> |
Source: conhost[1].exe |
String found in binary or memory: Software\Microsoft\Windows\CurrentVersionPutInputInBuffer: EventsWritten != 1, 1 expectedInvalid EventType: 0x%xonecore\windows\core\console\open\src\host\misc.cpponecore\windows\core\console\open\src\host\output.cppinvalid array<T, N> subscript onecore\windows\core\console\open\src\host\convarea.cppInvalid screen buffer size (0x%x, 0x%x) onecore\windows\core\console\open\src\host\_output.cpponecore\windows\core\console\open\src\host\utils.cppStartEndUnknownTextUnit_CharacterTextUnit_FormatTextUnit_WordTextUnit_LineTextUnit_ParagraphTextUnit_PageTextUnit_DocumentUIA_AutomationFocusChangedEventIdNavigateDirection_FirstChildNavigateDirection_LastChildNavigateDirection_NextSiblingNavigateDirection_PreviousSiblingonecore\windows\core\console\open\src\host\registry.cpponecore\windows\core\console\open\src\host\ntprivapi.cppNtOpenProcessNtQueryInformationProcessNtCloseWriteCharsLegacy failed %xWriteCharsLegacy failed 0x%xonecore\windows\core\console\open\src\host\renderdata.cpponecore\windows\core\console\open\src\host\utf8towidecharparser.cpponecore\windows\core\console\open\src\host\conimeinfo.cpp"" invalid stoi argumentstoi argument out of rangeonecore\windows\core\console\open\src\host\commandnumberpopup.cpponecore\windows\core\console\open\src\host\commandlistpopup.cpp onecore\windows\core\console\open\src\host\exemain.cppConhostV1.dllConsoleCreateIoThreadonecore\windows\core\console\open\src\buffer\out\cursor.cpponecore\windows\core\console\open\src\buffer\out\textbuffer.cpp<>&</TITLE></HEAD><BODY><!DOCTYPE><HTML><HEAD><TITLE><!--StartFragment --><DIV STYLE="display:inline-block;white-space:pre;background-color:;font-family:'',monospace;font-size:pt;padding:px;"><BR></SPAN><SPAN STYLE="color:</DIV><!--EndFragment --></BODY></HTML>Version:0.9 |
Source: unknown |
Process created: C:\Users\user\Desktop\conhost[1].exe "C:\Users\user\Desktop\conhost[1].exe" |
|
Source: C:\Users\user\Desktop\conhost[1].exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe |
|
Source: C:\Users\user\Desktop\conhost[1].exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}\InProcServer32 |
Jump to behavior |
Source: conhost[1].exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: conhost[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: conhost[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: conhost[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: conhost[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: conhost[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: conhost[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: conhost[1].exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: conhost[1].exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: conhost.pdbUGP source: conhost[1].exe |
Source: |
Binary string: conhost.pdb source: conhost[1].exe |
Source: conhost[1].exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: conhost[1].exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: conhost[1].exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: conhost[1].exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: conhost[1].exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: conhost[1].exe |
Static PE information: section name: .didat |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07FA540 EnterCriticalSection,NtdllDefWindowProc_W,LeaveCriticalSection,GetWindowRect,IsRectEmpty,GetWindowLongW,SetDlgItemTextW,SetWindowPos,IsIconic,MonitorFromRect,SetWindowPos,FreeLibrary,NtdllDefWindowProc_W,GetSystemMetrics,SetActiveWindow,SendMessageTimeoutW,NotifyWinEvent, |
0_2_00007FF7E07FA540 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07F8448 IsIconic, |
0_2_00007FF7E07F8448 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\conhost[1].exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E080CBF0 DelayLoadFailureHook,LdrResolveDelayLoadedAPI, |
0_2_00007FF7E080CBF0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E07F9B68 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, |
0_2_00007FF7E07F9B68 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0807F10 RegOpenKeyW,RegEnumValueW,GetProcessHeap,HeapAlloc,RegCloseKey,GetProcessHeap,HeapFree, |
0_2_00007FF7E0807F10 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E08103A0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF7E08103A0 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E0810598 SetUnhandledExceptionFilter, |
0_2_00007FF7E0810598 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E080F7A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00007FF7E080F7A8 |
Source: C:\Users\user\Desktop\conhost[1].exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\conhost[1].exe |
Code function: 0_2_00007FF7E081023C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00007FF7E081023C |