Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
ReversingLabs: Detection: 26% |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Joe Sandbox ML: detected |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static PE information: section name: .8;y |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static PE information: section name: .gJ+ |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static PE information: section name: .z!h |
Source: classification engine |
Classification label: mal56.winEXE@2/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
ReversingLabs: Detection: 26% |
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe" |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: opengl32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: msvcp140.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: d3dx9_43.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: vcruntime140_1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: glu32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static file information: File size 15426560 > 1048576 |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static PE information: Raw size of .z!h is bigger than: 0x100000 < 0xeb4000 |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: initial sample |
Static PE information: section where entry point is pointing to: .z!h |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static PE information: section name: .8;y |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static PE information: section name: .gJ+ |
Source: SecuriteInfo.com.W64.ABRisk.HGSF-5324.18792.11913.exe |
Static PE information: section name: .z!h |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |