Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
task.exe

Overview

General Information

Sample name:task.exe
Analysis ID:1429064
MD5:8a02bf22f75fbf6a3c9172238717ba4c
SHA1:78543f6ea51a8f49fec95d4ac7631ca0c06be645
SHA256:5c6c61de91323d8bb5027333b75e9ebfca4e42c5141fd440daed5011943c2545
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64_ra
  • task.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\task.exe" MD5: 8A02BF22F75FBF6A3C9172238717BA4C)
    • conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: task.exeStatic PE information: certificate valid
Source: task.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\task\task.pdb source: task.exe
Source: task.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: task.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: task.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: task.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: task.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: task.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: task.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: task.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: task.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: task.exeString found in binary or memory: http://ocsp.sectigo.com0#
Source: task.exeString found in binary or memory: https://sectigo.com/CPS0
Source: classification engineClassification label: clean1.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03
Source: task.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\task.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\task.exe "C:\Users\user\Desktop\task.exe"
Source: C:\Users\user\Desktop\task.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\task.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\task.exeSection loaded: libcrypto-3-x64.dllJump to behavior
Source: C:\Users\user\Desktop\task.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\task.exeSection loaded: wtsapi32.dllJump to behavior
Source: task.exeStatic PE information: certificate valid
Source: task.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: task.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: task.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: task.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: task.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: task.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: task.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: task.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: task.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\task\task.pdb source: task.exe
Source: task.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: task.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: task.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: task.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: task.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: task.exeStatic PE information: section name: _RDATA
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1429064 Sample: task.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 1 5 task.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
task.exe0%VirustotalBrowse
task.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#task.exefalse
  • URL Reputation: safe
unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0ttask.exefalse
  • URL Reputation: safe
unknown
https://sectigo.com/CPS0task.exefalse
  • URL Reputation: safe
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#task.exefalse
  • URL Reputation: safe
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ytask.exefalse
  • URL Reputation: safe
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0task.exefalse
  • URL Reputation: safe
unknown
http://ocsp.sectigo.com0task.exefalse
  • URL Reputation: safe
unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#task.exefalse
  • URL Reputation: safe
unknown
http://ocsp.sectigo.com0#task.exefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1429064
    Start date and time:2024-04-20 14:39:04 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 3m 37s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:14
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:task.exe
    Detection:CLEAN
    Classification:clean1.winEXE@2/0@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32+ executable (console) x86-64, for MS Windows
    Entropy (8bit):6.414681398502372
    TrID:
    • Win64 Executable Console (202006/5) 92.65%
    • Win64 Executable (generic) (12005/4) 5.51%
    • Generic Win/DOS Executable (2004/3) 0.92%
    • DOS Executable Generic (2002/1) 0.92%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:task.exe
    File size:363'272 bytes
    MD5:8a02bf22f75fbf6a3c9172238717ba4c
    SHA1:78543f6ea51a8f49fec95d4ac7631ca0c06be645
    SHA256:5c6c61de91323d8bb5027333b75e9ebfca4e42c5141fd440daed5011943c2545
    SHA512:c4caf5565be05c979d260b9b3b07755e490a4e99df0fb76e8b27e61583cae912b93d907b524e4c8abf11a046c8a91f098a7993f3ae09798c8d241e7325f4858f
    SSDEEP:6144:fGXrAzSVpCreFHGjWIH6BlSIQEaohkHfPvl9eZ:ObAzSVpCr5WAhvoSHHWZ
    TLSH:86744B19BBD436F4F967C178C4A01506DEB1BC094B28F6BF47A44A652E236A0DE3D732
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.*...DK..DK..DK..GJ..DK..AJ..DK..@J..DK...K..DK..CJ..DKs.AJ9.DKs.@J..DKs.GJ..DK..EJ..DK..EJ..DK..EK..DK..LJ..DK..DJ..DK...K..D

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x140001780
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x140000000
    Subsystem:windows cui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
    Time Stamp:0x65989F7E [Sat Jan 6 00:31:58 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:1507d1819ab873f5f5a6a05f0918739f

    Authenticode Signature

    Signature Valid:true
    Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
    Signature Validation Error:The operation completed successfully
    Error Number:0
    Not Before, Not After
    • 10/03/2023 01:00:00 10/03/2024 00:59:59
    Subject Chain
    • CN=Intel Corporation, O=Intel Corporation, S=California, C=US
    Version:3
    Thumbprint MD5:97355BCEE41595DF26282461BC9E7C46
    Thumbprint SHA-1:C8109BDD00AA2491212910D0A65DDB9455D2495D
    Thumbprint SHA-256:EFA8AC129CFF59E4C40F85E4D3BFAD47F6F7E8CD79F2F28CD1B798A6CCA74B09
    Serial:70045E1A3A594DFAC651C85B86121879

    Entrypoint Preview

    Instruction
    dec eax
    sub esp, 28h
    call 00007F98A4E3ED30h
    dec eax
    add esp, 28h
    jmp 00007F98A4E3E93Fh
    int3
    int3
    dec eax
    sub esp, 28h
    call 00007F98A4E3F288h
    test eax, eax
    je 00007F98A4E3EAF3h
    dec eax
    mov eax, dword ptr [00000030h]
    dec eax
    mov ecx, dword ptr [eax+08h]
    jmp 00007F98A4E3EAD7h
    dec eax
    cmp ecx, eax
    je 00007F98A4E3EAE6h
    xor eax, eax
    dec eax
    cmpxchg dword ptr [00053758h], ecx
    jne 00007F98A4E3EAC0h
    xor al, al
    dec eax
    add esp, 28h
    ret
    mov al, 01h
    jmp 00007F98A4E3EAC9h
    int3
    int3
    int3
    inc eax
    push ebx
    dec eax
    sub esp, 20h
    movzx eax, byte ptr [00053743h]
    test ecx, ecx
    mov ebx, 00000001h
    cmove eax, ebx
    mov byte ptr [00053733h], al
    call 00007F98A4E3F08Fh
    call 00007F98A4E3F6C2h
    test al, al
    jne 00007F98A4E3EAD6h
    xor al, al
    jmp 00007F98A4E3EAE6h
    call 00007F98A4E4E22Dh
    test al, al
    jne 00007F98A4E3EADBh
    xor ecx, ecx
    call 00007F98A4E3F6D2h
    jmp 00007F98A4E3EABCh
    mov al, bl
    dec eax
    add esp, 20h
    pop ebx
    ret
    int3
    int3
    int3
    inc eax
    push ebx
    dec eax
    sub esp, 20h
    cmp byte ptr [000536F8h], 00000000h
    mov ebx, ecx
    jne 00007F98A4E3EB39h
    cmp ecx, 01h
    jnbe 00007F98A4E3EB3Ch
    call 00007F98A4E3F1EEh
    test eax, eax
    je 00007F98A4E3EAFAh
    test ebx, ebx
    jne 00007F98A4E3EAF6h
    dec eax
    lea ecx, dword ptr [000536E2h]
    call 00007F98A4E3EB1Eh

    Rich Headers

    Programming Language:
    • [IMP] VS2008 SP1 build 30729

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x42b800x1a4.rdata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x42d240xdc.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x590000x434.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x560000x1c5c.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x562000x2908
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a0000x6cc.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x3f8800x54.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3f8e00x138.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x340000x4d8.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x3242c0x326004a92c57d1b12b27208391c4f3c5f65e1False0.49418908964019853data6.408955739465912IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x340000xfe1e0x10000a94837f7a4eddd9683742d584be57b4fFalse0.4621429443359375data5.1503657728043954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x440000x11cd80x10a00a5d9be9af76f07fd41ba9be2ad11bd0dFalse0.16168350563909775data5.009557832575589IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata0x560000x1c5c0x1e0071185e3d14e5e86c933c6538ad1f3d0fFalse0.47408854166666664data5.1604041978171225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    _RDATA0x580000xfc0x200306a8f944177c4b94b4132c82cf74cf2False0.306640625data1.9876897658321124IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .rsrc0x590000x4340x600124c05d17be7c3b0865c1fe8bdbc0bc0False0.349609375data4.638606943266937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x5a0000x6cc0x80005300dc6bf3543a7ab6a06160c718171False0.5341796875data5.064355067037347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x590a00x238dataEnglishUnited States0.5052816901408451
    RT_MANIFEST0x592d80x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786

    Imports

    DLLImport
    KERNEL32.dllFindFirstFileW, SetLastError, FindNextFileW, TerminateProcess, WaitForMultipleObjects, SetEnvironmentVariableW, FindClose, WaitForSingleObject, GetSystemDirectoryW, UnmapViewOfFile, Sleep, GetFileAttributesExW, GetCurrentThread, GetCurrentDirectoryW, RtlCaptureStackBackTrace, GetModuleHandleW, FreeLibrary, CreateFileMappingW, MapViewOfFile, QueryPerformanceCounter, LoadLibraryExW, ReadFile, GetTempPathW, CreateSemaphoreW, LoadLibraryW, SetEndOfFile, HeapSize, GetStringTypeW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, CreateFileW, GetProcessId, RaiseException, LeaveCriticalSection, EnterCriticalSection, SetConsoleTextAttribute, GetConsoleScreenBufferInfo, GetProcessHeap, GetCurrentProcessId, LocalFree, HeapAlloc, DeleteProcThreadAttributeList, CloseHandle, UpdateProcThreadAttribute, GetLastError, lstrcmpA, GetCurrentThreadId, LocalAlloc, GetEnvironmentVariableA, GetEnvironmentVariableW, InitializeProcThreadAttributeList, GetModuleFileNameW, GetStdHandle, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, FlushFileBuffers, OutputDebugStringW, SetStdHandle, GetFileSizeEx, GetConsoleOutputCP, ReadConsoleW, GetConsoleMode, SetFilePointerEx, HeapReAlloc, LCMapStringW, SetThreadAffinityMask, ReleaseSemaphore, CompareStringW, GetCurrentProcess, HeapFree, GetModuleFileNameA, GetProcAddress, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, MultiByteToWideChar, WideCharToMultiByte, GetCommandLineW, GetCommandLineA, WriteFile, WriteConsoleW, __C_specific_handler, GetFileType, FreeLibraryAndExitThread, ExitThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetTimeZoneInformation, GetVersion, GetModuleHandleA, GetModuleHandleExW, ExitProcess, RtlPcToFileHeader, EncodePointer, RtlUnwindEx, TlsFree, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue
    USER32.dllOpenInputDesktop, GetUserObjectInformationW, CloseDesktop
    ADVAPI32.dllRegQueryValueExW, CreateProcessAsUserW, ReportEventW, RegCloseKey, RegOpenKeyExW, RegGetValueW
    libcrypto-3-x64.dllEVP_md5, EVP_sha256, EVP_DigestUpdate, EVP_MD_CTX_free, EVP_DigestInit_ex, HMAC, EVP_MD_get_size, EVP_DigestFinal_ex, EVP_MD_CTX_new
    WINTRUST.dllWinVerifyTrust
    CRYPT32.dllCryptMsgClose, CryptQueryObject, CertCloseStore, CryptMsgGetParam, CryptDecodeObject
    dbghelp.dllSymInitialize, SymGetLineFromAddr64, MiniDumpWriteDump, SymFromAddr
    ntdll.dllRtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext
    RPCRT4.dllUuidCreate, RpcStringFreeW, UuidToStringW
    WTSAPI32.dllWTSQueryUserToken

    Exports

    NameOrdinalAddress
    get_environment_variable10x140021060
    get_environment_variable_a20x140020f90
    get_environment_variable_w30x140020eb0
    get_module_file_name40x1400212f0
    get_module_file_name_a50x140021220
    get_module_file_name_w60x140021140
    p_exception_esrv70x140055cc0
    set_current_directory80x140021400
    set_current_directory_a90x1400213f0
    set_current_directory_w100x1400213e0
    sh_get_known_folder_path110x140020e80

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:14:39:32
    Start date:20/04/2024
    Path:C:\Users\user\Desktop\task.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\Desktop\task.exe"
    Imagebase:0x7ff6ba7d0000
    File size:363'272 bytes
    MD5 hash:8A02BF22F75FBF6A3C9172238717BA4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    General

    Target ID:1
    Start time:14:39:32
    Start date:20/04/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6684c0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    Disassembly

    No disassembly