Windows Analysis Report
SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe

Overview

General Information

Sample name: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Analysis ID: 1427742
MD5: 87b6fcfdaa0ab94d9cf4b7f3cbbc8b8b
SHA1: 2e3dacf58466b4b7a2c6d52b008f6e1b4c98911a
SHA256: c1874e86e54a70b1917c708826975e45fa5c813f0ec30f6afd4971100ac0e5b7
Tags: exe
Infos:

Detection

Score: 6
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140004620 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 0_2_0000000140004620
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140003E88 FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z, 0_2_0000000140003E88
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 4x nop then movzx eax, byte ptr [rdx+07h] 0_2_00000001400170F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 4x nop then movsxd r9, rbp 0_2_0000000140011620
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 4x nop then movzx eax, byte ptr [rdx] 0_2_000000014000F6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 4x nop then mov ebp, dword ptr [r13+00h] 0_2_000000014000E740
Source: EasyVBO.exe.0.dr String found in binary or memory: PATH@https://twitter.com/home?status=Zhttps://www.facebook.com/sharer/sharer.php?u=hhttps://www.linkedin.com/shareArticle?mini=true&url=Dhttps://plus.google.com/share?url=VB equals www.facebook.com (Facebook)
Source: EasyVBO.exe.0.dr String found in binary or memory: PATH@https://twitter.com/home?status=Zhttps://www.facebook.com/sharer/sharer.php?u=hhttps://www.linkedin.com/shareArticle?mini=true&url=Dhttps://plus.google.com/share?url=VB equals www.linkedin.com (Linkedin)
Source: EasyVBO.exe.0.dr String found in binary or memory: PATH@https://twitter.com/home?status=Zhttps://www.facebook.com/sharer/sharer.php?u=hhttps://www.linkedin.com/shareArticle?mini=true&url=Dhttps://plus.google.com/share?url=VB equals www.twitter.com (Twitter)
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: EasyVBO.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, EasyVBO.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: EasyVBO.exe.0.dr String found in binary or memory: http://www.easyas.co.zaBYour
Source: EasyVBO.exe.0.dr String found in binary or memory: https://www.easyas.co.za/downloads/7zEasyVBO.exef
Source: EasyVBO.exe.0.dr String found in binary or memory: https://www.google.com/
Source: EasyVBO.exe.0.dr String found in binary or memory: https://www.winsms.co.za/api/credits.ASP?User=
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_000000014001BE60 0_2_000000014001BE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_000000014001AB78 0_2_000000014001AB78
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140007FA4 0_2_0000000140007FA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140016C30 0_2_0000000140016C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140006C60 0_2_0000000140006C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_000000014000DC90 0_2_000000014000DC90
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140022CA0 0_2_0000000140022CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_000000014000ECB0 0_2_000000014000ECB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_00000001400108C0 0_2_00000001400108C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140022940 0_2_0000000140022940
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_000000014000E940 0_2_000000014000E940
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140014190 0_2_0000000140014190
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_000000014000E1A0 0_2_000000014000E1A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140013230 0_2_0000000140013230
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_000000014000DA50 0_2_000000014000DA50
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_000000014000F6E0 0_2_000000014000F6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140021B8C 0_2_0000000140021B8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140022F94 0_2_0000000140022F94
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140022BB1 0_2_0000000140022BB1
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: String function: 0000000140003E6C appears 32 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1689291681.0000000000858000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEasyVBO.exe vs SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000000.1632439150.0000000140031000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename7ZSfxMod_x64.exeD vs SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1681407885.00000000023B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename7ZSfxMod_x64.exeD vs SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe, 00000000.00000003.1688185626.00000000048CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEasyVBO.exe vs SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Binary or memory string: OriginalFilename7ZSfxMod_x64.exeD vs SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe
Source: classification engine Classification label: clean6.winEXE@5/2@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_000000014000D328 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,??2@YAPEAX_K@Z,lstrcpyW,lstrcpyW,??3@YAXPEAX@Z,LocalFree, 0_2_000000014000D328
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140001240 GetDiskFreeSpaceExW,SendMessageW, 0_2_0000000140001240
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_000000014000CE2C GetDlgItem,SendMessageW,GetDlgItem,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,GetDlgItem,SetWindowLongPtrW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow, 0_2_000000014000CE2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140002640 GetModuleHandleW,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress, 0_2_0000000140002640
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe File created: C:\Users\user\AppData\Local\Temp\7ZSfx000.cmd Jump to behavior
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sum(daily.Profit) as TotalPR1 from daily WHERE (CODSale = False or (CODSale = True and CODPAID = True)) and RetailLevel = 1;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT supplierinvoices.date_c, supplierinvoices.SUPPLIER, supplierinvoices.INVNO, supplierinvoices.INVTOTAL, supplierinvoices.UnitCostExcl, supplierinvoices.PLUTOTALExcl, supplierinvoices.USER, supplierinvoices.PLU, supplierinvoices.Barcode, supplierinvoices.DESCRIPTION, supplierinvoices.QTY FROM supplierinvoices WHERE supplierinvoices.INVNO = 'DVBO-frmSupInvLoaded-txtDesc_Change2' and DESCRIPTION like '%N%' order by supplierinvoices.lineorder;&%' AND Supplier = 'T' and InvTotal < 0 and DESCRIPTION like '%&dd-MMM-yyyy : HH:MM:VBO-frmSupInvLoaded-ListItems
Source: EasyVBO.exe.0.dr Binary or memory string: Select sales.date_c as tDate, Null as lTotal, Sum(sales.QTY) as sTotal from sales where Date_c Between '^' Group by format(sales.date_c, 'dd-MMM-yyyy');
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT Sum(daily.PLUTOTAL) AS TOTALACC from daily where RefNum <> '2' AND AccountSale = True;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT Rentals.InvNo, Sum(Rentals.VAT) AS TotalVAT, Sum(Rentals.Discount) AS TotalDisc From Rentals where InvNo = 0 GROUP BY Rentals.InvNo;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sum(sales.PLUTOTAL) as TotalR2 from sales WHERE Date_c Between ',' and RetailLevel = 2;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sum(daily.PLUTOTAL) as TotalR1 from daily WHERE (CODSale = False or (CODSale = True and CODPAID = True)) and RetailLevel = 1;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sum(daily.PLUTOTAL) as TotalR2 from daily WHERE (CODSale = False or (CODSale = True and CODPAID = True)) and RetailLevel = 2;
Source: EasyVBO.exe.0.dr Binary or memory string: Select sales.PLU, Null as lTotal, Sum(sales.QTY) as sTotal from sales where PLU = '*' Group by sales.PLU;@Select * from stock where PLU ='
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT orders.date_c, orders.DATELASTSOLD, orders.LASTRETAIL, orders.NUMBER, orders.PLU, orders.DESCRIPTION, orders.QTY, orders.ORDERED, orders.COSTEX, orders.Supplier, orders.LinkedToOther, stock.PLU, stock.SOH, stock.REORDER from orders,stock WHERE orders.PLU=stock.PLU AND `%' ORDER BY orders.Supplier, orders.Description;
Source: EasyVBO.exe.0.dr Binary or memory string: Select suppliers.Supplier from suppliers group by suppliers.Supplier order by suppliers.Supplier;0] STOCK SUPPLIERS REPORT
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.plu, sum(sales.PLUTOTAL) as TotalPettyIn from sales where Company = '*' group by sales.plu;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.Selected, sales.PLU, sales.Description, sum(sales.Qty) AS TotalQty, recipes.LinkPLU from sales, recipes where Company = 'DfrmSalesHistory-PrintRecipeItemsPP*' GROUP BY sales.PLU;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT count(1) as RecCount, sales.InvNo from sales Where Date_c Between '.' Group By sales.InvNo;0VBO-mdiMain-ConnectAgain6VBO-mdiMain-cboServer_Click&mdiMain-CheckUpdate
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.category, sum(sales.PLUTOTAL) as TotalSurcharges from sales where Company = '4' group by sales.category;
Source: EasyVBO.exe.0.dr Binary or memory string: Select sales.date_c, Sum(sales.QTY) as sTotal from sales where PLU = '0' Group by sales.date_c;
Source: EasyVBO.exe.0.dr Binary or memory string: Select date_format(sales.Date_c, '%m-%Y') as tDate, Sum(sales.PLUTOTAL) as MonthlyTotal, Sum(sales.PROFIT) as Profit from sales where Company = '\' Group by DATE_FORMAT(sales.Date_c, '%m-%Y');&Account sales only?
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.PLU, sales.Description, sum(sales.Qty) AS TotalQty, recipes.LinkPLU from sales, recipes where Company = 'l' and recipes.LinkPLU = sales.PLU and Date_c Between 'n' GROUP BY sales.PLU,sales.DESCRIPTION,recipes.LINKPLU;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT daily.LineOrder, daily.InvNo, Sum(daily.VAT) AS TotalVAT, Sum(daily.Discount) AS TotalDisc from daily where InvNo = t GROUP BY daily.LineOrder, daily.InvNo order by LineOrder;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT daily.CustID, daily.Name, Sum(daily.PLUTotal) AS Total from daily where Company = 'n' and CashedUp = 0 and AccountSale = 1 AND Terminal = 'z' GROUP BY daily.CustID, daily.Name order by daily.Name Desc;2Account Receipts Summary:
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sum(daily.PROFIT) as TotalPR2 from daily WHERE (CODSale = False or (CODSale = True and CODPAID = True)) and RetailLevel = 2;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT SUM(sales.PLUTotalCost) as PLUTOTALCOST from sales where Company = '~SELECT SUM(sales.profit) as PROFIT from sales where Company = '^SELECT sales.InvNo from sales where Company = '0' Group By sales.InvNo;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT -Sum(sales.InvTotal) as TTotal from sales where Company = ',') GROUP BY sales.VAT;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.Invno, sales.InvTotalCost from sales WHERE Date_c Between 'V' Group By sales.InvNo, sales.InvTotalCost;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT Sum(sales.Profit) as Profit, Sum(sales.PLUTotal) AS Total from sales where Company = ',' And AccountSale = 1;6Please enter email address:
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.Category, Sum(sales.PLUTotal) AS PLUTotal from sales where Date_c Between '4' GROUP BY sales.Category;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT daily.driver, Sum(daily.CommValue) as Comm from daily where Company = '0' GROUP BY daily.driver;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.InvNo, Sum(sales.VAT) AS TotalVAT, Sum(sales.Discount) AS TotalDisc from sales where InvNo = , GROUP BY sales.InvNo;DSelect * from daily WHERE InvNo =
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.PLU, sales.Description, Sum(sales.QTY) AS Qty, Sum(sales.PLUTotal) As PLUTotal, Sum(sales.Profit) as Profit from sales where Company = 'd' Group by description order by sales.Description;4SALES TOTALS FOR PERIOD :
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT supplierinvoices.date_c, supplierinvoices.InvNo, supplierinvoices.SUPPLIER, supplierinvoices.SUPID, supplierinvoices.INVTOTAL, supplierinvoices.USER From supplierinvoices where Date_c Between 'L' order by supplierinvoices.lineorder;\select * from supplierinvoices where InvNo = '$' and Supplier = 'NWould you like to print barcode labels?(mnuPrintSupInv_ClickF' and supplierinvoices.Supplier = '(' ORDER BY LineOrder6] SUPPLIER INVOICE LOADED:
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT Sum(daily.PROFIT) AS PROFIT from daily WHERE (CODSale = False or (CODSale = True and CODPAID = True)) and PLU <> '"' AND REFNUM <> '4' And AccountSale = False;lblTotalCashuplblSurchargeslblDiscountslblBasketmnuUser2lblPaymentslblToBanklblTotalNoVAT
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT users.PicCode, users.UserName, users.UserType, users.FullName from users GROUP BY users.PicCode, users.UserName, users.UserType, users.FullName ORDER BY users.UserName;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT supplierinvoices.INVNO, supplierinvoices.INVTOTAL From supplierinvoices where Date_c = 'x' Group by supplierinvoices.INVNO,supplierinvoices.INVTOTAL;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sum(daily.DISCAMT) as TotalDisc from daily where Company = 'j' and (CODSale = 0 or (CODSale = 1 and CODPAID = 1));
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT Sum(sales.PLUTOTAL) AS TOTALACC from sales where Date_c Between 'P' and AccountSale = True and RefNum <> ',' and RetailLevel = 1;
Source: EasyVBO.exe.0.dr Binary or memory string: Select stockdept.Department from stockdept group by stockdept.Department order by stockdept.Department;4] STOCK DEPARTMENTS REPORT8Stock Suppliers Report PrintVC:\eZ-Az!\Export\Stock Suppliers Report.csv
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT count(1) as RecCount, daily.InvNo from daily where (daily.CODSale = 0 or (daily.CODSale = 1 and daily.CODPAID = 1)) Group by daily.InvNo;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT Quotations.InvNo, Sum(Quotations.VAT) AS TotalVAT from quotations where InvNo = 6 GROUP BY Quotations.InvNo;FSelect * from daily where InvNo = & order by LineOrder&Customer : **CASH**
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT Sum(daily.Profit) as Profit, Sum(daily.PLUTotal) AS Total from daily WHERE PLU <> '2' And AccountSale = True;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.AllocatedTo, Sum(sales.PLUTOTAL) AS Total, (Sum(sales.PLUTOTAL) / R) as TotalEx from sales where Company = 'T' and not isnull(AllocatedTo) and PLU <> ':' GROUP BY sales.AllocatedTo;>frmSalesHistory-cmdDetail_Click
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.LineOrder, sales.InvNo, Sum(sales.VAT) AS TotalVAT, Sum(sales.Discount) AS TotalDisc from sales where InvNo = t GROUP BY sales.LineOrder, sales.InvNo order by LineOrder;(Reprinted invoice :
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.plu, sum(sales.PLUTOTAL) as TotalPettyOut from sales where Company = ',') group by sales.plu;
Source: EasyVBO.exe.0.dr Binary or memory string: Select supplierinvoices.date_c, Sum(supplierinvoices.QTY) as lTotal, Null as sTotal from supplierinvoices where PLU = 'F' Group by supplierinvoices.Date_c;<There are no records to print!>Item Totals Loaded/Sold History
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT stocksnap.PLU, stocksnap.Description, stocksnap.Department, stocksnap.Category, stocksnap.Supplier, stocksnap.SOH, stocksnap.QtySold, stocksnap.Loaded, stocksnap.TotalCostEx, stocksnap.TotalRetail from stocksnap where AtCashup = 1 and SnapDate Between 'p' Group By stocksnap.plu order by stocksnap.description;HfrmSalesHistory-PrintDailySalesSOHPP
Source: EasyVBO.exe.0.dr Binary or memory string: Select supplierinvoices.PLU, Sum(supplierinvoices.QTY) as lTotal, Null as sTotal from supplierinvoices where PLU = '@' Group by supplierinvoices.PLU;
Source: EasyVBO.exe.0.dr Binary or memory string: SELECT sales.Selected, sales.PLU, sales.Description, sales.AccountSale, sales.Refnum, sales.Name, sales.Contact, sales.IDNo, sales.VatNo, Sum(sales.QTY) AS Qty, Sum(sales.PLUTotal) As PLUTotal, Sum(sales.Profit) as Profit from sales where Company = 'd' Group by description order by sales.date_c desc;HfrmSalesHistory-PrintSalesDetailSlip
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe "C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7ZSfx000.cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7ZSfx000.cmd" " Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Static file information: File size 2068446 > 1048576
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140002DF0 LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 0_2_0000000140002DF0
PE file contains an invalid checksum
Source: SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Static PE information: real checksum: 0x3a352 should be: 0x208771
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe File created: C:\ez-az!\EasyVBO.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Dropped PE file which has not been started: C:\ez-az!\EasyVBO.exe Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140004620 GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 0_2_0000000140004620
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140003E88 FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z, 0_2_0000000140003E88
Source: EasyVBO.exe.0.dr Binary or memory string: ar-AEJServer Datacenter (core installation)jServer Datacenter without Hyper-V (core installation)jServer Datacenter without Hyper-V (full installation)
Source: EasyVBO.exe.0.dr Binary or memory string: ar-OMZWindows Small Business Server 2011 Essentials:Windows Small Business Server:Small Business Server PremiumbSmall Business Server Premium (core installation)2Windows MultiPoint ServerRServer Standard (evaluation installation)FServer Standard (core installation)>Server Standard without Hyper-VfServer Standard without Hyper-V (core installation)0Server Solutions PremiumXServer Solutions Premium (core installation)
Source: EasyVBO.exe.0.dr Binary or memory string: ar-TNjServer Enterprise without Hyper-V (core installation)VServer Enterprise for Itanium-based SystemsjServer Enterprise without Hyper-V (full installation)XWindows Essential Server Solution Management0Windows Home Server 2011
Source: EasyVBO.exe.0.dr Binary or memory string: ar-SYRWindows Storage Server 2008 R2 Essentials0Microsoft Hyper-V Server
Source: EasyVBO.exe.0.dr Binary or memory string: Windows Server 2008 without Hyper-V for Windows Essential Server Solutions
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140002DF0 LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 0_2_0000000140002DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140001120 RtlAddVectoredExceptionHandler, 0_2_0000000140001120
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140023600 SetUnhandledExceptionFilter, 0_2_0000000140023600
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140007290 ??3@YAXPEAX@Z,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPEAX@Z,??3@YAXPEAX@Z, 0_2_0000000140007290
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7ZSfx000.cmd" " Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140002E64 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_0000000140002E64
Source: EasyVBO.exe.0.dr Binary or memory string: Progman
Source: EasyVBO.exe.0.dr Binary or memory string: Shell_traywnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140022B70 cpuid 0_2_0000000140022B70
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: GetLastError,wsprintfW,GetEnvironmentVariableW,GetLastError,??2@YAPEAX_K@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPEAX@Z,SetLastError,lstrlenA,??2@YAPEAX_K@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar, 0_2_0000000140002BB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140004C64 lstrlenW,GetSystemTimeAsFileTime,GetFileAttributesW,??3@YAXPEAX@Z,??3@YAXPEAX@Z, 0_2_0000000140004C64
Source: C:\Users\user\Desktop\SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe Code function: 0_2_0000000140007FA4 ?_set_new_handler@@YAP6AH_K@ZP6AH0@Z@Z,GetVersionExW,GetCommandLineW,lstrlenW,wsprintfW,_wtol,GetModuleFileNameW,_wtol,??2@YAPEAX_K@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,wsprintfW,_wtol,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,GetCommandLineW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,CoInitialize,lstrlenW,memcpy,_wtol,??3@YAXPEAX@Z,??3@YAXPEAX@Z,GetKeyState,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,GetFileAttributesW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,_wtol,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,SetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,SetCurrentDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,MessageBoxA, 0_2_0000000140007FA4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1427742 Sample: SecuriteInfo.com.HEUR.Troja... Startdate: 18/04/2024 Architecture: WINDOWS Score: 6 6 SecuriteInfo.com.HEUR.Trojan.Win32.DelShad.vho.25230.12529.exe 5 2->6         started        file3 13 C:\ez-az!asyVBO.exe, PE32 6->13 dropped 9 cmd.exe 1 6->9         started        process4 process5 11 conhost.exe 9->11         started       
No contacted IP infos