Loading ...

Play interactive tourEdit tour

Analysis Report install.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:188732
Start date:09.11.2019
Start time:23:53:58
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 10s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:install.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winEXE@2/1@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 92.1%)
  • Quality average: 65.7%
  • Quality standard deviation: 30.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsDeobfuscate/Decode Files or Information1Credential DumpingSystem Time Discovery2Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information1Network SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery11Logon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: install.exeVirustotal: Detection: 41%Perma Link

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CAC13C FindFirstFileExW,0_2_00007FF605CAC13C

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: install.exeString found in binary or memory: https://www.vim.org/
Source: install.exeString found in binary or memory: https://www.vim.org/InternetShortcutCreating

System Summary:

barindex
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CABF300_2_00007FF605CABF30
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CAF6D00_2_00007FF605CAF6D0
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CB26600_2_00007FF605CB2660
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C9EDC40_2_00007FF605C9EDC4
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C9857C0_2_00007FF605C9857C
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C9C9340_2_00007FF605C9C934
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C9E8B80_2_00007FF605C9E8B8
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CA48340_2_00007FF605CA4834
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C9B7940_2_00007FF605C9B794
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CA6AB40_2_00007FF605CA6AB4
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C9BA180_2_00007FF605C9BA18
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CA11780_2_00007FF605CA1178
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CB09B00_2_00007FF605CB09B0
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CA29500_2_00007FF605CA2950
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CAC13C0_2_00007FF605CAC13C
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C924D00_2_00007FF605C924D0
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CAA4C00_2_00007FF605CAA4C0
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CA93CC0_2_00007FF605CA93CC
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CAABC40_2_00007FF605CAABC4
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CB33F00_2_00007FF605CB33F0
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CA0BF00_2_00007FF605CA0BF0
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CB53A80_2_00007FF605CB53A8
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CB23700_2_00007FF605CB2370
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\install.exeCode function: String function: 00007FF605C97820 appears 133 times
Source: C:\Users\user\Desktop\install.exeCode function: String function: 00007FF605C97870 appears 116 times
Classification labelShow sources
Source: classification engineClassification label: mal48.winEXE@2/1@0/0
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C955D0 CoInitialize,CoCreateInstance,MultiByteToWideChar,0_2_00007FF605C955D0
PE file has an executable .text section and no other executable sectionShow sources
Source: install.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\install.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: install.exeVirustotal: Detection: 41%
Sample might require command line argumentsShow sources
Source: install.exeString found in binary or memory: -install-icons
Source: install.exeString found in binary or memory: -add-start-menu
Source: install.exeString found in binary or memory: -add-start-menu
Source: install.exeString found in binary or memory: -install-openwith
Source: install.exeString found in binary or memory: -install-popup
Source: install.exeString found in binary or memory: -install-popup
Source: install.exeString found in binary or memory: -install-openwith
Source: install.exeString found in binary or memory: -install-popup
Source: install.exeString found in binary or memory: -install-openwith
Source: install.exeString found in binary or memory: -add-start-menu
Source: install.exeString found in binary or memory: -add-start-menu
Source: install.exeString found in binary or memory: -install-icons
Source: install.exeString found in binary or memory: -add-start-menu Add Vim to the start menu
Source: install.exeString found in binary or memory: -add-start-menu Add Vim to the start menu
Source: install.exeString found in binary or memory: -install-icons Create icons for gVim executables on the desktop
Source: install.exeString found in binary or memory: -create-vimrc-vimrc-remap-vimrc-behaveunixdefault-vimrc-compatdefaults-install-popup-install-openwith-add-start-menu-install-icons-create-directorieshomeUnknown argument for -create-directories: %s
Source: install.exeString found in binary or memory: -create-vimrc-vimrc-remap-vimrc-behaveunixdefault-vimrc-compatdefaults-install-popup-install-openwith-add-start-menu-install-icons-create-directorieshomeUnknown argument for -create-directories: %s
Source: install.exeString found in binary or memory: -create-vimrc-vimrc-remap-vimrc-behaveunixdefault-vimrc-compatdefaults-install-popup-install-openwith-add-start-menu-install-icons-create-directorieshomeUnknown argument for -create-directories: %s
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\install.exe 'C:\Users\user\Desktop\install.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
PE file has a high image base, often used for DLLsShow sources
Source: install.exeStatic PE information: Image base 0x140000000 > 0x60000000
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: install.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
PE file contains a debug data directoryShow sources
Source: install.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CAC13C FindFirstFileExW,0_2_00007FF605CAC13C

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CA5790 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF605CA5790
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CAE0D4 GetProcessHeap,0_2_00007FF605CAE0D4
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C97D9C SetUnhandledExceptionFilter,_invalid_parameter_noinfo,0_2_00007FF605C97D9C
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CA5790 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF605CA5790
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C98314 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF605C98314
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C97980 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF605C97980
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C984BC SetUnhandledExceptionFilter,0_2_00007FF605C984BC

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CB51F0 cpuid 0_2_00007FF605CB51F0
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605C981FC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF605C981FC
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\install.exeCode function: 0_2_00007FF605CB35F8 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF605CB35F8

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 188732 Sample: install.exe Startdate: 09/11/2019 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 install.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
install.exe41%VirustotalBrowse
install.exe5%MetadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Startup

  • System is w10x64
  • install.exe (PID: 3332 cmdline: 'C:\Users\user\Desktop\install.exe' MD5: A575278BFF5AF556D480037A5B0C2E1B)
    • conhost.exe (PID: 4300 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Created / dropped Files

\Device\ConDrv
Process:C:\Users\user\Desktop\install.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):174
Entropy (8bit):4.5136802324600716
Encrypted:false
MD5:F034E9845B6B4AFF95F96B7ED6FD42CA
SHA1:686BABFFFA02AA85FE660D1FC68A35E20846F4FF
SHA-256:44020A51D14742048745EE8D93E61BD6B53858A6D0F4A5197C7CA323BB18ED08
SHA-512:437933F743DB23CA55F471E3CB76449C161F352D1C8E4490F013E7DAFC04D18418C08CA9E2C81C6FE83A4E3D19503ECD7A5CCD6DBA259D7DE5FDD5113759EB87
Malicious:false
Reputation:low
Preview: This program sets up the installation of Vim 8.1....ERROR: Install program not in directory "vim81"..This program can only work when it is located in its original directory..

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.vim.org/InternetShortcutCreatinginstall.exefalse
    high
    https://www.vim.org/install.exefalse
      high

      Contacted IPs

      No contacted IP infos

      Static File Info

      General

      File type:PE32+ executable (console) x86-64, for MS Windows
      Entropy (8bit):6.300751025284357
      TrID:
      • Win64 Executable Console (202006/5) 92.65%
      • Win64 Executable (generic) (12005/4) 5.51%
      • Generic Win/DOS Executable (2004/3) 0.92%
      • DOS Executable Generic (2002/1) 0.92%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:install.exe
      File size:234496
      MD5:a575278bff5af556d480037a5b0c2e1b
      SHA1:9991de5d6c9d1c2a0431c82ad592fa402db9a2e4
      SHA256:f8b7016c33097799900b15475b71f36dfd4acb1e946e8e2ec713b4d8e6f5cfe7
      SHA512:26e054f1e7b3771a3bb97861a8f802de416e832d59dee552b4c6c4a7aa34d420df75f2b3e2837f5da59ab64b53164782146bdb69c52a8fdc8d62fa517495e848
      SSDEEP:3072:CeJthqGohW76renh5+ZzuIzOSl6Vu2YyLylDiEXVfK4HoeIuJQPyrTZE0T/wDql:jzceYenGuI/lJtyLUD/mqrTZE
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V._...1...1...1.w.5...1.w.2...1.w.4...1..E....1.@.4.7.1.@.5...1.@.2...1.......1.......1.......1...0.n.1...5...1...3...1.Rich..1

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x140007f34
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x140000000
      Subsystem:windows cui
      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Time Stamp:0x5DBB7611 [Fri Nov 1 00:02:25 2019 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:6
      OS Version Minor:0
      File Version Major:6
      File Version Minor:0
      Subsystem Version Major:6
      Subsystem Version Minor:0
      Import Hash:7bb63987f59eb36a95da06c01e7dd43d

      Entrypoint Preview

      Instruction
      dec eax
      sub esp, 28h
      call 00007FB73458BCC4h
      dec eax
      add esp, 28h
      jmp 00007FB73458B877h
      int3
      int3
      dec eax
      sub esp, 28h
      call 00007FB73458C1ECh
      test eax, eax
      je 00007FB73458BA23h
      dec eax
      mov eax, dword ptr [00000030h]
      dec eax
      mov ecx, dword ptr [eax+08h]
      jmp 00007FB73458BA07h
      dec eax
      cmp ecx, eax
      je 00007FB73458BA16h
      xor eax, eax
      dec eax
      cmpxchg dword ptr [000314D4h], ecx
      jne 00007FB73458B9F0h
      xor al, al
      dec eax
      add esp, 28h
      ret
      mov al, 01h
      jmp 00007FB73458B9F9h
      int3
      int3
      int3
      inc eax
      push ebx
      dec eax
      sub esp, 20h
      movzx eax, byte ptr [000314BFh]
      test ecx, ecx
      mov ebx, 00000001h
      cmove eax, ebx
      mov byte ptr [000314AFh], al
      call 00007FB73458BFDBh
      call 00007FB73458C642h
      test al, al
      jne 00007FB73458BA06h
      xor al, al
      jmp 00007FB73458BA16h
      call 00007FB734598731h
      test al, al
      jne 00007FB73458BA0Bh
      xor ecx, ecx
      call 00007FB73458C65Eh
      jmp 00007FB73458B9ECh
      mov al, bl
      dec eax
      add esp, 20h
      pop ebx
      ret
      int3
      int3
      int3
      inc eax
      push ebx
      dec eax
      sub esp, 40h
      cmp byte ptr [00031474h], 00000000h
      mov ebx, ecx
      jne 00007FB73458BAB6h
      cmp ecx, 01h
      ja 00007FB73458BAB5h
      call 00007FB73458C14Ah
      test eax, eax
      je 00007FB73458BA2Ah
      test ebx, ebx
      jne 00007FB73458BA26h

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x305d00x78.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3b0000x1bb4.pdata
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x3d0000x780.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x2e9c00x1c.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2e9e00x100.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x260000x3a0.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x24f300x25000False0.546980574324zlib compressed data6.44201400051IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rdata0x260000xb2540xb400False0.458051215278data5.16846494941IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x320000x8b980x6800False0.251427283654data4.32786026208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .pdata0x3b0000x1bb40x1c00False0.495675223214data5.32583685695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x3d0000x7800x800False0.57470703125data5.22638368301IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Imports

      DLLImport
      KERNEL32.dllCopyFileA, MultiByteToWideChar, WideCharToMultiByte, SetEndOfFile, WriteConsoleW, HeapReAlloc, HeapSize, GetTempPathA, GetFileSizeEx, ReadConsoleW, ReadFile, DeleteFileW, GetProcessHeap, GetStringTypeW, WritePrivateProfileStringA, GetModuleFileNameA, GetTickCount, Sleep, GetLastError, DeleteFileA, GetTimeZoneInformation, SetCurrentDirectoryA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, ExitProcess, GetModuleHandleExW, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, CloseHandle, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetStdHandle, WriteFile, GetModuleFileNameW, GetCommandLineA, GetCommandLineW, SetEnvironmentVariableW, SetCurrentDirectoryW, GetCurrentDirectoryW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, FlushFileBuffers, GetConsoleCP, GetConsoleMode, MoveFileExW, SetFilePointerEx, WaitForSingleObject, GetExitCodeProcess, CreateProcessW, GetFileAttributesExW, GetFullPathNameW, SetStdHandle, CreateDirectoryW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, RtlUnwind
      SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHGetSpecialFolderLocation, FindExecutableW
      USER32.dllEnumWindows, GetWindowTextA
      ole32.dllCoInitialize, CoCreateInstance
      ADVAPI32.dllRegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumKeyExA, RegCreateKeyExA, RegCloseKey, RegSetValueExA

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      Behavior

      Click to jump to process

      System Behavior

      General

      Start time:23:55:04
      Start date:09/11/2019
      Path:C:\Users\user\Desktop\install.exe
      Wow64 process (32bit):false
      Commandline:'C:\Users\user\Desktop\install.exe'
      Imagebase:0x7ff605c90000
      File size:234496 bytes
      MD5 hash:A575278BFF5AF556D480037A5B0C2E1B
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      General

      Start time:23:55:04
      Start date:09/11/2019
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0x4
      Imagebase:0x7ff642e80000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Disassembly

      Code Analysis

      Reset < >