Analysis Report logman.exe
Overview
General Information
Sample Name: | logman.exe |
Analysis ID: | 319946 |
MD5: | ca042c9a80d01c409c740d0437942b4e |
SHA1: | 715146caa48d94a6ae2f6f0b2d5268296d51773e |
SHA256: | cdaa7d2fd4328877fcab873cfa85b6b46b0a1afa6cc39017ced21dcfb139bba7 |
Detection
Score: | 23 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Source: | Code function: | 0_2_00007FF665A3E5EC | |
Source: | Code function: | 0_2_00007FF665A3E5EC |
Source: | Code function: | 0_2_00007FF665A404BC | |
Source: | Code function: | 0_2_00007FF665A34EA8 | |
Source: | Code function: | 0_2_00007FF665A3A2D4 | |
Source: | Code function: | 0_2_00007FF665A3B530 | |
Source: | Code function: | 0_2_00007FF665A3D130 | |
Source: | Code function: | 0_2_00007FF665A3B03C | |
Source: | Code function: | 0_2_00007FF665A35C2C | |
Source: | Code function: | 0_2_00007FF665A37C0C | |
Source: | Code function: | 0_2_00007FF665A3D544 | |
Source: | Code function: | 0_2_00007FF665A33F88 | |
Source: | Code function: | 0_2_00007FF665A36B8C | |
Source: | Code function: | 0_2_00007FF665A3D384 | |
Source: | Code function: | 0_2_00007FF665A404BC | |
Source: | Code function: | 0_2_00007FF665A34EA8 | |
Source: | Code function: | 0_2_00007FF665A3A2D4 | |
Source: | Code function: | 0_2_00007FF665A3B530 | |
Source: | Code function: | 0_2_00007FF665A3D130 | |
Source: | Code function: | 0_2_00007FF665A3B03C | |
Source: | Code function: | 0_2_00007FF665A35C2C | |
Source: | Code function: | 0_2_00007FF665A37C0C | |
Source: | Code function: | 0_2_00007FF665A3D544 | |
Source: | Code function: | 0_2_00007FF665A33F88 | |
Source: | Code function: | 0_2_00007FF665A36B8C | |
Source: | Code function: | 0_2_00007FF665A3D384 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | Code function: | 0_2_00007FF665A3C270 | |
Source: | Code function: | 0_2_00007FF665A3C270 |
Source: | Code function: | 0_2_00007FF665A34EA8 | |
Source: | Code function: | 0_2_00007FF665A34EA8 |
Source: | Code function: | 0_2_00007FF665A395E8 | |
Source: | Code function: | 0_2_00007FF665A395E8 |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Data Obfuscation: |
---|
Binary contains a suspicious time stamp | Show sources |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Check user administrative privileges: | graph_0-5467 | ||
Source: | Check user administrative privileges: | graph_0-5467 |
Source: | API coverage: | ||
Source: | API coverage: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF665A3E5EC | |
Source: | Code function: | 0_2_00007FF665A3E5EC |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00007FF665A34EA8 | |
Source: | Code function: | 0_2_00007FF665A34EA8 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF665A414A0 | |
Source: | Code function: | 0_2_00007FF665A41194 | |
Source: | Code function: | 0_2_00007FF665A414A0 | |
Source: | Code function: | 0_2_00007FF665A41194 |
Source: | Code function: | 0_2_00007FF665A35C2C | |
Source: | Code function: | 0_2_00007FF665A35C2C |
Source: | Code function: | 0_2_00007FF665A404BC | |
Source: | Code function: | 0_2_00007FF665A3C948 | |
Source: | Code function: | 0_2_00007FF665A3EEA8 | |
Source: | Code function: | 0_2_00007FF665A404BC | |
Source: | Code function: | 0_2_00007FF665A3C948 | |
Source: | Code function: | 0_2_00007FF665A3EEA8 |
Source: | Code function: | 0_2_00007FF665A41674 | |
Source: | Code function: | 0_2_00007FF665A41674 |
Source: | Code function: | 0_2_00007FF665A34EA8 | |
Source: | Code function: | 0_2_00007FF665A34EA8 |
Source: | Code function: | 0_2_00007FF665A3FF14 | |
Source: | Code function: | 0_2_00007FF665A3FF14 |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Native API1 | Path Interception | Process Injection1 | Process Injection1 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Timestomp1 | LSASS Memory | Security Software Discovery11 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Account Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | System Owner/User Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | File and Directory Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery13 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Metadefender | Browse | ||
0% | ReversingLabs |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 319946 |
Start date: | 18.11.2020 |
Start time: | 21:15:26 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 2m 20s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | logman.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | SUS |
Classification: | sus23.winEXE@2/0@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.525535467255417 |
TrID: |
|
File name: | logman.exe |
File size: | 120320 |
MD5: | ca042c9a80d01c409c740d0437942b4e |
SHA1: | 715146caa48d94a6ae2f6f0b2d5268296d51773e |
SHA256: | cdaa7d2fd4328877fcab873cfa85b6b46b0a1afa6cc39017ced21dcfb139bba7 |
SHA512: | 32c0ef8ab6a938dfc0bb00f41b4a2937ea9370d80104a4d1f6cc5782d1f97d4c8823f413a02a6f911dc06f4b1eecf4bafab08db56cdf678e0e0b37cba7c96a63 |
SSDEEP: | 3072:jk3dNq/ZpEoxPeFpT0NMrUs0Kj6aWkGTy:jk3/q/PEoxP6pT0NY0Kja |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.......................-.......*......./......./.......+.......&...............,.....Rich....................PE..d...6.H.... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x140011050 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA |
Time Stamp: | 0xEA48DB36 [Thu Jul 22 13:20:54 2094 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 10 |
OS Version Minor: | 0 |
File Version Major: | 10 |
File Version Minor: | 0 |
Subsystem Version Major: | 10 |
Subsystem Version Minor: | 0 |
Import Hash: | 468ae0e85185c7b62e8740f0b95d8d25 |
Entrypoint Preview |
---|
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F511489BEC0h |
dec eax |
add esp, 28h |
jmp 00007F511489B6C3h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
nop word ptr [eax+eax+00000000h] |
dec eax |
cmp ecx, dword ptr [0000A1D1h] |
jne 00007F511489B8B2h |
dec eax |
rol ecx, 10h |
test cx, FFFFh |
jne 00007F511489B8A3h |
ret |
dec eax |
ror ecx, 10h |
jmp 00007F511489B9D7h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
dec eax |
mov ebx, ecx |
dec eax |
lea ecx, dword ptr [0000C6E4h] |
call dword ptr [00004096h] |
mov eax, dword ptr [0000A190h] |
dec eax |
lea ecx, dword ptr [0000C6D1h] |
mov edx, dword ptr [0000CC63h] |
inc eax |
mov dword ptr [0000A17Bh], eax |
mov dword ptr [ebx], eax |
dec eax |
mov eax, dword ptr [00000058h] |
inc ecx |
mov ecx, 00000004h |
dec esp |
mov eax, dword ptr [eax+edx*8] |
mov eax, dword ptr [0000A160h] |
inc ebx |
mov dword ptr [ecx+eax], eax |
call dword ptr [0000405Eh] |
dec eax |
lea ecx, dword ptr [0000C69Fh] |
dec eax |
add esp, 20h |
pop ebx |
dec eax |
jmp dword ptr [00004063h] |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x18ae8 | 0x280 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x20000 | 0x808 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x1f000 | 0x924 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x21000 | 0x854 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x17f40 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x14db8 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x14ca0 | 0x118 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x14de0 | 0x5c8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x10966 | 0x10a00 | False | 0.486548402256 | data | 6.18960548838 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x12000 | 0x8134 | 0x8200 | False | 0.364603365385 | data | 4.20455027863 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1b000 | 0x3068 | 0x2800 | False | 0.06630859375 | data | 0.447443967859 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.pdata | 0x1f000 | 0x924 | 0xa00 | False | 0.45625 | PEX Binary Archive | 4.50307300662 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x20000 | 0x808 | 0xa00 | False | 0.38359375 | data | 3.71062234732 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x21000 | 0x854 | 0xa00 | False | 0.4015625 | data | 4.98444381936 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
MUI | 0x20738 | 0xd0 | data | English | United States |
RT_VERSION | 0x20398 | 0x39c | data | English | United States |
RT_MANIFEST | 0x200f0 | 0x2a6 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
msvcrt.dll | bsearch, ??3@YAXPEAX@Z, __CxxFrameHandler3, ?terminate@@YAXXZ, _commode, wcsncmp, _fmode, __C_specific_handler, _initterm, __setusermatherr, _wcsnicmp, _cexit, _exit, iswspace, _wmakepath_s, exit, __set_app_type, __wgetmainargs, _amsg_exit, _XcptFilter, wcsrchr, isspace, fgetws, wcsstr, _wfopen, wprintf, wcschr, _errno, wcstok, qsort, fseek, _wtoi, fclose, _wcsicmp, towlower, ferror, memmove, _vsnwprintf, _wsplitpath_s, malloc, _callnewh, memcpy, memset |
api-ms-win-security-base-l1-1-0.dll | SetSecurityDescriptorDacl, GetSecurityDescriptorDacl, GetTokenInformation, SetSecurityDescriptorGroup, InitializeSecurityDescriptor, GetSecurityDescriptorOwner, SetSecurityDescriptorOwner, GetSecurityDescriptorGroup |
api-ms-win-core-file-l1-1-0.dll | CreateFileW, WriteFile, FindFirstFileW, ReadFile, FindClose, FindNextFileW, SetFilePointerEx, GetFullPathNameW, GetFileType |
api-ms-win-core-libraryloader-l1-2-0.dll | FreeResource, SizeofResource, LoadStringW, FreeLibrary, GetModuleFileNameW, LoadResource, FindResourceExW, GetModuleHandleW, LockResource, LoadLibraryExW |
OLEAUT32.dll | SystemTimeToVariantTime, VariantInit, SysAllocString, VariantChangeType, VarDateFromStr, SysFreeString, SafeArrayUnaccessData, SafeArrayDestroy, VariantTimeToSystemTime, SafeArrayCreateVector, SafeArrayAccessData, VariantClear, VarBstrFromDate |
api-ms-win-core-heap-l1-1-0.dll | GetProcessHeap, HeapFree, HeapAlloc, HeapSetInformation |
api-ms-win-core-processthreads-l1-1-0.dll | GetCurrentProcessId, OpenProcessToken, GetCurrentThreadId, GetCurrentProcess, OpenThreadToken, GetCurrentThread, TerminateProcess |
api-ms-win-core-processenvironment-l1-1-0.dll | GetStdHandle, GetCurrentDirectoryW, SearchPathW |
api-ms-win-security-sddl-l1-1-0.dll | ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW |
api-ms-win-core-console-l1-1-0.dll | ReadConsoleW, GetConsoleMode, GetConsoleOutputCP, WriteConsoleW, SetConsoleMode |
api-ms-win-core-com-l1-1-0.dll | CoInitializeEx, CoCreateInstance, CoUninitialize, CoInitializeSecurity, CreateStreamOnHGlobal, StringFromGUID2 |
SspiCli.dll | GetUserNameExW |
api-ms-win-shcore-path-l1-1-0.dll | |
api-ms-win-core-string-l1-1-0.dll | WideCharToMultiByte, MultiByteToWideChar |
api-ms-win-core-errorhandling-l1-1-0.dll | GetLastError, SetUnhandledExceptionFilter, UnhandledExceptionFilter, SetLastError |
api-ms-win-core-heap-l2-1-0.dll | GlobalFree, LocalFree, GlobalAlloc |
api-ms-win-core-handle-l1-1-0.dll | CloseHandle |
api-ms-win-core-libraryloader-l1-2-1.dll | LoadLibraryW, FindResourceW |
api-ms-win-core-heap-obsolete-l1-1-0.dll | GlobalUnlock, GlobalLock |
api-ms-win-core-timezone-l1-1-0.dll | SystemTimeToFileTime |
api-ms-win-core-synch-l1-2-0.dll | SleepConditionVariableSRW, WakeAllConditionVariable, Sleep |
api-ms-win-core-synch-l1-1-0.dll | AcquireSRWLockExclusive, ReleaseSRWLockExclusive |
api-ms-win-core-rtlsupport-l1-1-0.dll | RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind |
api-ms-win-core-profile-l1-1-0.dll | QueryPerformanceCounter |
api-ms-win-core-sysinfo-l1-1-0.dll | GetVersionExW, GetTickCount, GetSystemTimeAsFileTime |
api-ms-win-core-localization-l1-2-0.dll | GetLocaleInfoW, FormatMessageW, SetThreadPreferredUILanguages |
api-ms-win-core-version-l1-1-0.dll | GetFileVersionInfoExW, GetFileVersionInfoSizeExW, VerQueryValueW |
api-ms-win-core-console-l2-1-0.dll | GetConsoleScreenBufferInfo |
api-ms-win-core-registry-l1-1-0.dll | RegCloseKey, RegQueryValueExW, RegOpenKeyExW |
api-ms-win-core-localization-obsolete-l1-2-0.dll | GetUserDefaultUILanguage, GetSystemDefaultUILanguage |
api-ms-win-core-memory-l1-1-0.dll | CreateFileMappingW, UnmapViewOfFile, MapViewOfFile |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Microsoft Corporation. All rights reserved. |
InternalName | Logman.exe |
FileVersion | 10.0.19041.546 (WinBuild.160101.0800) |
CompanyName | Microsoft Corporation |
ProductName | Microsoft Windows Operating System |
ProductVersion | 10.0.19041.546 |
FileDescription | Performance Log Utility |
OriginalFilename | Logman.exe |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 21:16:22 |
Start date: | 18/11/2020 |
Path: | C:\Users\user\Desktop\logman.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff665a30000 |
File size: | 120320 bytes |
MD5 hash: | CA042C9A80D01C409C740D0437942B4E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 21:16:22 |
Start date: | 18/11/2020 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff724c50000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 4.4% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 42.9% |
Total number of Nodes: | 1317 |
Total number of Limit Nodes: | 3 |
Graph
Executed Functions |
---|
Function 00007FF665A34EA8, Relevance: 65.5, APIs: 33, Strings: 4, Instructions: 708memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3C948, Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 256memoryCOMMON
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A404BC, Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 357libraryCOMMON
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3C270, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78windowlibraryCOMMON
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3BDF8, Relevance: 19.7, APIs: 13, Instructions: 200memoryCOMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 00007FF665A36B8C, Relevance: 77.7, APIs: 42, Strings: 2, Instructions: 676fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3B03C, Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 314memoryCOMMON
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A35C2C, Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 206memoryCOMMON
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3D544, Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 197memoryCOMMON
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A37C0C, Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 471memorycomCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3A2D4, Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 265memorycomCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3E5EC, Relevance: 19.8, APIs: 13, Instructions: 279memoryfileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A395E8, Relevance: 18.1, APIs: 12, Instructions: 101memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3B530, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 190memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3EEA8, Relevance: 10.6, APIs: 7, Instructions: 116memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A41674, Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A33F88, Relevance: .8, Instructions: 755COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3D384, Relevance: .1, Instructions: 126COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A35A38, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 128memorythreadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3761C, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 188memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3B93C, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 150fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A38428, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 255memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A39768, Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 180memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A390A4, Relevance: 19.6, APIs: 13, Instructions: 137memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3D87C, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 113COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A36684, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 243COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A36334, Relevance: 13.6, APIs: 9, Instructions: 107memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3F2FC, Relevance: 12.7, APIs: 10, Instructions: 188memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A38C5C, Relevance: 12.2, APIs: 8, Instructions: 218memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3F064, Relevance: 12.1, APIs: 8, Instructions: 95memorytimeCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A392C8, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 210memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A38830, Relevance: 10.7, APIs: 7, Instructions: 160memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3ACBC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A40200, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68registryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A39B60, Relevance: 9.3, APIs: 6, Instructions: 292memorycomCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3FE24, Relevance: 9.1, APIs: 6, Instructions: 62filelibraryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A3C3BC, Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 163memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A36148, Relevance: 6.1, APIs: 4, Instructions: 124commemoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF665A38398, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 35COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |