Windows Analysis Report
EDownloader.exe

Overview

General Information

Sample name: EDownloader.exe
Analysis ID: 1431754
MD5: 3d92268fec3c1cf2e0e29a47d22a79fb
SHA1: 445c634e78ec63ccb3a39ee5f6e81a7b46f3a7e5
SHA256: 20475e541ca6a061eb5dc587784b9a3910bda519ccfd8d009dfcb4fd60fff0b6
Infos:

Detection

Score: 6
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005E6300 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,ReadFile,_strstr,_strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle, 0_2_005E6300
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EA450 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_005EA450
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005CE400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 0_2_005CE400
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005CE490 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_005CE490
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EA580 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 0_2_005EA580
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005CF760 GetModuleHandleA,GetProcAddress,CertOpenStore,GetLastError,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext, 0_2_005CF760
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005D17C0 CryptAcquireContextA,CryptCreateHash, 0_2_005D17C0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005D1800 CryptHashData, 0_2_005D1800
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005D1820 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_005D1820
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00525CD0 CreateFileW,CloseHandle,CryptAcquireContextW,CryptCreateHash,GetFileSize,ReadFile,CryptHashData,CloseHandle,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00525CD0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: -----BEGIN PUBLIC KEY----- 0_2_005B83A0
Source: EDownloader.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Contains functionality to create an SMB header
Source: C:\Users\user\Desktop\EDownloader.exe Code function: mov dword ptr [ebx+04h], 424D53FFh 0_2_005DCDB0
Uses 32bit PE files
Source: EDownloader.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: EDownloader.exe Static PE information: certificate valid
Source: EDownloader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\PackageDownloader\mmloader\main\EDownloader\Release\EDownloader.pdb source: EDownloader.exe
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_006119B2 FindFirstFileExW, 0_2_006119B2
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984 Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\SysWOW64\KERNELBASE.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097 Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\SysWOW64\KERNEL32.DLL Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005BED70 recv,WSAGetLastError, 0_2_005BED70
Source: EDownloader.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: EDownloader.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: EDownloader.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: EDownloader.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: EDownloader.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: EDownloader.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: EDownloader.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: EDownloader.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: EDownloader.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: EDownloader.exe String found in binary or memory: http://ocsp.digicert.com0
Source: EDownloader.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: EDownloader.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: EDownloader.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: EDownloader.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: EDownloader.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: EDownloader.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: EDownloader.exe String found in binary or memory: https://www.baidu.com/
Source: EDownloader.exe String found in binary or memory: https://www.google.com/
Source: EDownloader.exe String found in binary or memory: https://www.google.com/https://www.baidu.com/GMT
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005584C0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_005584C0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00558FB0 PeekMessageW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetTickCount,_wcsstr,GetKeyState, 0_2_00558FB0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EA580 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 0_2_005EA580
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005382B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_005382B0
Detected potential crypto function
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005F6065 0_2_005F6065
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005D0060 0_2_005D0060
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00610179 0_2_00610179
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005F21F1 0_2_005F21F1
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005BE200 0_2_005BE200
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005F6299 0_2_005F6299
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0057C280 0_2_0057C280
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00608326 0_2_00608326
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005A8310 0_2_005A8310
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005B03D0 0_2_005B03D0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0059C3F0 0_2_0059C3F0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005C23F0 0_2_005C23F0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005A8440 0_2_005A8440
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005F64CD 0_2_005F64CD
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005F24AC 0_2_005F24AC
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005724A0 0_2_005724A0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0056E550 0_2_0056E550
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005A0540 0_2_005A0540
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005E4500 0_2_005E4500
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EC500 0_2_005EC500
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005A25B0 0_2_005A25B0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005947D0 0_2_005947D0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005E2860 0_2_005E2860
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00560820 0_2_00560820
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005FC8EA 0_2_005FC8EA
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005FE8E0 0_2_005FE8E0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0059E950 0_2_0059E950
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005369D0 0_2_005369D0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00574AD0 0_2_00574AD0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00584AB0 0_2_00584AB0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005ECB00 0_2_005ECB00
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0059EC80 0_2_0059EC80
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00572DB0 0_2_00572DB0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0059CE50 0_2_0059CE50
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00618EE0 0_2_00618EE0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005CCF40 0_2_005CCF40
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0053F03F 0_2_0053F03F
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00577150 0_2_00577150
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0057D11F 0_2_0057D11F
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005591B0 0_2_005591B0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00573270 0_2_00573270
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_006172EC 0_2_006172EC
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005A9370 0_2_005A9370
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00521380 0_2_00521380
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005A1380 0_2_005A1380
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005A33B0 0_2_005A33B0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00617410 0_2_00617410
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00533570 0_2_00533570
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00559520 0_2_00559520
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_006156CA 0_2_006156CA
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005CF760 0_2_005CF760
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005F17E0 0_2_005F17E0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00571910 0_2_00571910
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005F190E 0_2_005F190E
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00521A70 0_2_00521A70
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0055FAF0 0_2_0055FAF0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00613B67 0_2_00613B67
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0055DB10 0_2_0055DB10
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0059BB10 0_2_0059BB10
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005DDB30 0_2_005DDB30
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0057BBF0 0_2_0057BBF0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005E1C60 0_2_005E1C60
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005F1C80 0_2_005F1C80
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EDDDB 0_2_005EDDDB
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00591E70 0_2_00591E70
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0052BF70 0_2_0052BF70
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0056FF70 0_2_0056FF70
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005F1F2A 0_2_005F1F2A
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00585F90 0_2_00585F90
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 005A6850 appears 54 times
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 005BEB00 appears 319 times
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 005CB6F0 appears 34 times
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 00522E90 appears 249 times
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 005EF720 appears 68 times
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 005F9D38 appears 52 times
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 00522BA0 appears 94 times
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 005E83D0 appears 36 times
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 0052C890 appears 310 times
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 005CB7A0 appears 80 times
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 005BEBE0 appears 270 times
Source: C:\Users\user\Desktop\EDownloader.exe Code function: String function: 005C11F0 appears 36 times
Uses 32bit PE files
Source: EDownloader.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean6.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005E3590 GetLastError,___swprintf_l,FormatMessageA,___swprintf_l,___swprintf_l,_strncpy,GetLastError,SetLastError, 0_2_005E3590
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005382B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_005382B0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00554FA0 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle, 0_2_00554FA0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0058F650 LoadLibraryW,GetProcAddress,CoCreateInstance, 0_2_0058F650
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005639E0 GetWindowLongW,SetWindowLongW,GetClientRect,SetWindowPos,GetModuleFileNameW,_wcsrchr,FindResourceW,LoadResource,FreeResource,SizeofResource,LockResource,FreeResource,MessageBoxW,ExitProcess, 0_2_005639E0
Source: C:\Users\user\Desktop\EDownloader.exe File created: C:\Users\user\Desktop\EasyLog.log Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Mutant created: NULL
Source: EDownloader.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\EDownloader.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: EDownloader.exe String found in binary or memory: 0123456789abcdef%d.%d.%d.%dkernel32LoadLibraryExA\/AddDllDirectoryschannel
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe Section loaded: textshaping.dll Jump to behavior
Source: EDownloader.exe Static PE information: certificate valid
Source: EDownloader.exe Static file information: File size 1327952 > 1048576
Source: EDownloader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: EDownloader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: EDownloader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: EDownloader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: EDownloader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: EDownloader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: EDownloader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: EDownloader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\PackageDownloader\mmloader\main\EDownloader\Release\EDownloader.pdb source: EDownloader.exe
Source: EDownloader.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EDownloader.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EDownloader.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EDownloader.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EDownloader.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005287D0 RegCreateKeyExA,RegSetValueExA,RegCloseKey,LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_005287D0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EF5D5 push ecx; ret 0_2_005EF5E8
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EF766 push ecx; ret 0_2_005EF779
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005FB94E push ecx; iretd 0_2_005FB94F
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005581C0 GetWindowRect,GetParent,GetWindow,MonitorFromWindow,GetMonitorInfoW,IsIconic,GetWindowRect,SetWindowPos, 0_2_005581C0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005591B0 IsIconic,ScreenToClient,SendMessageW,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,SendMessageW,SetFocus,SetCapture,GetTickCount,SetFocus,SetCapture,GetTickCount,ReleaseCapture,GetTickCount,SetFocus,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC, 0_2_005591B0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005591B0 IsIconic,ScreenToClient,SendMessageW,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,SendMessageW,SetFocus,SetCapture,GetTickCount,SetFocus,SetCapture,GetTickCount,ReleaseCapture,GetTickCount,SetFocus,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC, 0_2_005591B0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005591B0 IsIconic,ScreenToClient,SendMessageW,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,SendMessageW,SetFocus,SetCapture,GetTickCount,SetFocus,SetCapture,GetTickCount,ReleaseCapture,GetTickCount,SetFocus,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC, 0_2_005591B0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00563400 IsIconic, 0_2_00563400
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00525500 GetWindowLongW,SetWindowLongW,IsIconic,ScreenToClient,GetClientRect,IsIconic,GetWindowRect,OffsetRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject,CallWindowProcW, 0_2_00525500
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00525500 GetWindowLongW,SetWindowLongW,IsIconic,ScreenToClient,GetClientRect,IsIconic,GetWindowRect,OffsetRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject,CallWindowProcW, 0_2_00525500
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00563820 IsIconic,GetWindowRect,OffsetRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject, 0_2_00563820
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EDDDB GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_005EDDDB
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\EDownloader.exe API coverage: 2.3 %
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_006119B2 FindFirstFileExW, 0_2_006119B2
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984 Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\SysWOW64\KERNELBASE.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097 Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dll Jump to behavior
Source: C:\Users\user\Desktop\EDownloader.exe File opened: C:\Windows\SysWOW64\KERNEL32.DLL Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EF77B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005EF77B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005287D0 RegCreateKeyExA,RegSetValueExA,RegCloseKey,LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_005287D0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0060FAEA mov eax, dword ptr fs:[00000030h] 0_2_0060FAEA
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0060FB30 mov eax, dword ptr fs:[00000030h] 0_2_0060FB30
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00605E63 mov eax, dword ptr fs:[00000030h] 0_2_00605E63
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EEB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_005EEB22
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EF77B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005EF77B
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005EF90E SetUnhandledExceptionFilter, 0_2_005EF90E
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005F3FEE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005F3FEE
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0059E130 cpuid 0_2_0059E130
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\EDownloader.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_006140C0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: EnumSystemLocalesW, 0_2_0060C26F
Source: C:\Users\user\Desktop\EDownloader.exe Code function: GetLocaleInfoW,MultiByteToWideChar,GetVersionExW,IsWindow,PostMessageW, 0_2_0054C350
Source: C:\Users\user\Desktop\EDownloader.exe Code function: EnumSystemLocalesW, 0_2_00614366
Source: C:\Users\user\Desktop\EDownloader.exe Code function: EnumSystemLocalesW, 0_2_006143B1
Source: C:\Users\user\Desktop\EDownloader.exe Code function: EnumSystemLocalesW, 0_2_0061444C
Source: C:\Users\user\Desktop\EDownloader.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_006144D7
Source: C:\Users\user\Desktop\EDownloader.exe Code function: GetLocaleInfoW, 0_2_0061472C
Source: C:\Users\user\Desktop\EDownloader.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00614854
Source: C:\Users\user\Desktop\EDownloader.exe Code function: GetLocaleInfoW, 0_2_0060C822
Source: C:\Users\user\Desktop\EDownloader.exe Code function: GetLocaleInfoW, 0_2_0061495C
Source: C:\Users\user\Desktop\EDownloader.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00614A2F
Source: C:\Users\user\Desktop\EDownloader.exe Code function: GetLocaleInfoW, 0_2_005394D0
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0060C861 GetSystemTimeAsFileTime, 0_2_0060C861
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_00526920 GetUserNameW,LookupAccountNameW,IsValidSid,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority, 0_2_00526920
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0060EC7B _free,_free,_free,GetTimeZoneInformation,_free, 0_2_0060EC7B
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_0054C350 GetLocaleInfoW,MultiByteToWideChar,GetVersionExW,IsWindow,PostMessageW, 0_2_0054C350
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005C0240 htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 0_2_005C0240
Source: C:\Users\user\Desktop\EDownloader.exe Code function: 0_2_005DF6C0 bind,WSAGetLastError, 0_2_005DF6C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431754 Sample: EDownloader.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 6 4 EDownloader.exe 1 2->4         started       
No contacted IP infos