Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C193A0 DecryptMessage, |
0_2_00C193A0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C18AE0 EncryptMessage, |
0_2_00C18AE0 |
Source: win32_remote.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: win32_remote.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: win32_remote.pdb source: win32_remote.exe |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C494A4 FindFirstFileExW,_free, |
0_2_00C494A4 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C3B5D6 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError, |
0_2_00C3B5D6 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE25E0 GetMappedFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,GetModuleFileNameExW,GetSystemDirectoryA,GetCurrentDirectoryA, |
0_2_00BE25E0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C172F0 recvfrom,WSAGetLastError, |
0_2_00C172F0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE64D0 FreeLibrary,CloseHandle,NtUnloadDriver, |
0_2_00BE64D0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE64D1 FreeLibrary,CloseHandle,NtUnloadDriver, |
0_2_00BE64D1 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE5500 NtSystemDebugControl, |
0_2_00BE5500 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE3C60 RtlAdjustPrivilege,RtlAdjustPrivilege,NtLoadDriver,NtCreateFile,NtDeviceIoControlFile, |
0_2_00BE3C60 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE6E20 NtSystemDebugControl, |
0_2_00BE6E20 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE3C60: RtlAdjustPrivilege,RtlAdjustPrivilege,NtLoadDriver,NtCreateFile,NtDeviceIoControlFile, |
0_2_00BE3C60 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE64D0 FreeLibrary,CloseHandle,NtUnloadDriver, |
0_2_00BE64D0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C4712E |
0_2_00C4712E |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2D2A5 |
0_2_00C2D2A5 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C3E465 |
0_2_00C3E465 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C295E0 |
0_2_00C295E0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C315B2 |
0_2_00C315B2 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C317DB |
0_2_00C317DB |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2C707 |
0_2_00C2C707 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2D8F0 |
0_2_00C2D8F0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C359CD |
0_2_00C359CD |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C379D0 |
0_2_00C379D0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C4891A |
0_2_00C4891A |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BFBA90 |
0_2_00BFBA90 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C48A46 |
0_2_00C48A46 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2CA79 |
0_2_00C2CA79 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C1CD50 |
0_2_00C1CD50 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2CD23 |
0_2_00C2CD23 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2CFEA |
0_2_00C2CFEA |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: String function: 00C2ADD0 appears 54 times |
|
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: String function: 00BD37C0 appears 92 times |
|
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: String function: 00BD39E0 appears 37 times |
|
Source: win32_remote.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: win32_remote.exe |
Binary string: JNtSystemDebugControlNtLoadDriverNtUnloadDriverRtlAdjustPrivilegeNtCreateFileNtDeviceIoControlFile\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\kldbgdrv\Device\kldbgdrv |
Source: classification engine |
Classification label: clean9.winEXE@2/1@0/0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE0E90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,FindCloseChangeNotification,GetLastError,FreeLibrary,SetLastError, |
0_2_00BE0E90 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BD5600 CoCreateInstance,SearchPathA,LoadLibraryA,GetProcAddress,FreeLibrary, |
0_2_00BD5600 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03 |
Source: win32_remote.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\win32_remote.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: win32_remote.exe |
String found in binary or memory: on-stop-kill-process |
Source: win32_remote.exe |
String found in binary or memory: 'Don-broken-connection-keep-sessionKeep debugger session alive when connection breakson-stop-kill-processKill debuggee when closing sessionCould not initialize subsystem!IDA_DBGSRV_PASSWDIDA Windows 32-bit remote debug server(MT) v%d.%d.%d. Hex-Rays (c) 2004-2020 |
Source: win32_remote.exe |
String found in binary or memory: ip-address |
Source: win32_remote.exe |
String found in binary or memory: v8aH@aHpeDport-numberPort numberip-addressIP address to bind to (default to any)use-tlsUse TLScertchain-fileTLS certificate chain fileprivkey-fileTLS private key fileverboseVerbose mode0.0.0.0%s:%u: %s |
Source: unknown |
Process created: C:\Users\user\Desktop\win32_remote.exe "C:\Users\user\Desktop\win32_remote.exe" |
Source: C:\Users\user\Desktop\win32_remote.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\win32_remote.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\win32_remote.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\win32_remote.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\win32_remote.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\win32_remote.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\win32_remote.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\win32_remote.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: win32_remote.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: win32_remote.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: win32_remote.pdb source: win32_remote.exe |
Source: win32_remote.exe |
Static PE information: 0xF41F5250 [Wed Oct 14 20:36:32 2099 UTC] |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE3AA0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,GetModuleHandleA,GetProcAddress,GetProcAddress, |
0_2_00BE3AA0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BD70D8 push ebp; iretd |
0_2_00BD70D9 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BD71CE push ebp; iretd |
0_2_00BD71CF |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BD712B push ebp; iretd |
0_2_00BD712C |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BD717B push ebp; iretd |
0_2_00BD717C |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BD72E8 push ebp; iretd |
0_2_00BD72E9 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BD7228 push ebp; iretd |
0_2_00BD7229 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BD727B push ebp; iretd |
0_2_00BD727C |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BD7348 push ebp; iretd |
0_2_00BD7349 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2D66B pushfd ; retf |
0_2_00C2D66C |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C01979 push 840FC085h; ret |
0_2_00C0197F |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2AE16 push ecx; ret |
0_2_00C2AE29 |
Source: C:\Users\user\Desktop\win32_remote.exe |
API coverage: 8.4 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C494A4 FindFirstFileExW,_free, |
0_2_00C494A4 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C3B5D6 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError, |
0_2_00C3B5D6 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE25E0 GetMappedFileNameW,GetLogicalDriveStringsW,QueryDosDeviceW,GetModuleFileNameExW,GetSystemDirectoryA,GetCurrentDirectoryA, |
0_2_00BE25E0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE2E80 GetSystemInfo,VirtualQueryEx,VirtualQueryEx, |
0_2_00BE2E80 |
Source: win32_remote.exe, 00000000.00000002.2870212866.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2F0D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00C2F0D3 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BE3AA0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,GetModuleHandleA,GetProcAddress,GetProcAddress, |
0_2_00BE3AA0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C327C0 mov eax, dword ptr fs:[00000030h] |
0_2_00C327C0 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C40F50 mov eax, dword ptr fs:[00000030h] |
0_2_00C40F50 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2F0D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00C2F0D3 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2A147 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00C2A147 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2AC15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00C2AC15 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2AD77 SetUnhandledExceptionFilter, |
0_2_00C2AD77 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C2AA6E cpuid |
0_2_00C2AA6E |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C3F7F3 GetSystemTimeAsFileTime, |
0_2_00C3F7F3 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00BD1045 GetVersionExA,GetCurrentProcess, |
0_2_00BD1045 |
Source: C:\Users\user\Desktop\win32_remote.exe |
Code function: 0_2_00C17985 WSAStartup,bind,WSAGetLastError,listen, |
0_2_00C17985 |