Analysis Report aEdlObiYav
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Emotet | Emotet Payload | kevoreilly |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Emotet | Emotet Payload | kevoreilly |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 11 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MAL_Emotet_Jan20_1 | Detects Emotet malware | Florian Roth |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Emotet | Emotet Payload | kevoreilly |
| |
MAL_Emotet_Jan20_1 | Detects Emotet malware | Florian Roth |
| |
JoeSecurity_Emotet | Yara detected Emotet | Joe Security | ||
Click to see the 23 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
E-Banking Fraud: |
---|
Detected Emotet e-Banking trojan | Show sources |
Source: | Code function: | ||
Source: | Code function: |
Yara detected Emotet | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File deleted: | Jump to behavior |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Evasive API call chain: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Persistence and Installation Behavior: |
---|
Drops executables to the windows directory (C:\Windows) and starts them | Show sources |
Source: | Executable created and started: |
Source: | PE file moved: | Jump to behavior |
Source: | Code function: |
Hooking and other Techniques for Hiding and Protection: |
---|
Hides that the sample has been downloaded from the Internet (zone.identifier) | Show sources |
Source: | File opened: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Found evasive API chain (may stop execution after checking mutex) | Show sources |
Source: | Evasive API call chain: |
Source: | File opened / queried: |
Source: | Code function: | ||
Source: | Code function: |
Source: | API coverage: |
Source: | Thread sleep time: |
Source: | File opened: |
Source: | Last function: |
Source: | File Volume queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | ||
Source: | API call chain: | ||
Source: | API call chain: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Lowering of HIPS / PFW / Operating System Security Settings: |
---|
Changes security center settings (notifications, updates, antivirus, firewall) | Show sources |
Source: | Key value created or modified: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Stealing of Sensitive Information: |
---|
Yara detected Emotet | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts1 | Windows Management Instrumentation1 | DLL Side-Loading1 | DLL Side-Loading1 | Disable or Modify Tools1 | Input Capture1 | System Time Discovery2 | Remote Services | Archive Collected Data11 | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Data Encrypted for Impact1 |
Default Accounts | Native API111 | Valid Accounts1 | Valid Accounts1 | Deobfuscate/Decode Files or Information1 | LSASS Memory | System Service Discovery1 | Remote Desktop Protocol | Input Capture1 | Exfiltration Over Bluetooth | Encrypted Channel22 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Command and Scripting Interpreter2 | Windows Service12 | Access Token Manipulation1 | Obfuscated Files or Information2 | Security Account Manager | File and Directory Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Standard Port1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | Service Execution12 | Logon Script (Mac) | Windows Service12 | Software Packing1 | NTDS | System Information Discovery47 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol1 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Process Injection1 | DLL Side-Loading1 | LSA Secrets | Security Software Discovery51 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | File Deletion1 | Cached Domain Credentials | Virtualization/Sandbox Evasion3 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Masquerading121 | DCSync | Process Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Valid Accounts1 | Proc Filesystem | Application Window Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Access Token Manipulation1 | /etc/passwd and /etc/shadow | Remote System Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Virtualization/Sandbox Evasion3 | Network Sniffing | Process Discovery | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact | ||
Compromise Software Dependencies and Development Tools | Windows Command Shell | Cron | Cron | Process Injection1 | Input Capture | Permission Groups Discovery | Replication Through Removable Media | Remote Data Staging | Exfiltration Over Physical Medium | Mail Protocols | Service Stop | ||
Compromise Software Supply Chain | Unix Shell | Launchd | Launchd | Hidden Files and Directories1 | Keylogging | Local Groups | Component Object Model and Distributed COM | Screen Capture | Exfiltration over USB | DNS | Inhibit System Recovery |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
96% | ReversingLabs | Win32.Trojan.Emotet | ||
100% | Avira | HEUR/AGEN.1111753 | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1111753 | Download File | ||
100% | Avira | HEUR/AGEN.1111753 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1111753 | Download File | ||
100% | Avira | HEUR/AGEN.1111753 | Download File | ||
100% | Avira | HEUR/AGEN.1111753 | Download File | ||
100% | Avira | HEUR/AGEN.1111753 | Download File | ||
100% | Avira | HEUR/AGEN.1111753 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1111753 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| low | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| low | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
152.89.236.214 | unknown | Germany | 31400 | ACCELERATED-ITDE | false | |
198.199.114.69 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | false | |
104.236.246.93 | unknown | United States | 14061 | DIGITALOCEAN-ASNUS | false | |
178.210.51.222 | unknown | Russian Federation | 43727 | KVANT-TELECOMRU | false | |
45.33.54.74 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | false | |
209.141.41.136 | unknown | United States | 53667 | PONYNETUS | false | |
87.106.136.232 | unknown | Germany | 8560 | ONEANDONE-ASBrauerstrasse48DE | false |
Private |
---|
IP |
---|
127.0.0.1 |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 376365 |
Start date: | 26.03.2021 |
Start time: | 12:14:01 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 24s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | aEdlObiYav (renamed file extension from none to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 21 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.bank.troj.evad.winEXE@15/5@0/8 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
12:15:06 | API Interceptor | |
12:16:21 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
198.199.114.69 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
104.236.246.93 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
45.33.54.74 | Get hash | malicious | Browse |
| |
87.106.136.232 | Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ACCELERATED-ITDE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
DIGITALOCEAN-ASNUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
DIGITALOCEAN-ASNUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4096 |
Entropy (8bit): | 0.597889115294713 |
Encrypted: | false |
SSDEEP: | 6:bVk1GaD0JOCEfMuaaD0JOCEfMKQmDF1Al/gz2cE0fMbhEZolrRSQ2hyYIIT:bCGaD0JcaaD0JwQQF1Ag/0bjSQJ |
MD5: | 4E33D805E2A479CEE4D175EDBAE59C11 |
SHA1: | 1EAA684AA38277FA15E860035EB1BDEBCE587FAE |
SHA-256: | C9040CEDCAA9BC5392C8A43422B685431F804EF7E2669F45A546DAFEE0512988 |
SHA-512: | D74D01C1C48F02E7E75DD5BFA2BA0849912165C532A8D62D47BD8D5E2DBC5CD9AD391DB420CDDCA382EB10CC55B0905E164A1739B2C89161DF89A748102308C7 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 0.09636108144020473 |
Encrypted: | false |
SSDEEP: | 6:sEsAzwl/+KRIE11Y8TRXrrFlKGEsAzwl/+KRIE11Y8TRXrrFlK:sFA0+KO4blrrFlKGFA0+KO4blrrFlK |
MD5: | CC2B342ACF2A0814B5BCAE5A58DBD2FC |
SHA1: | C44E20AB2EA24C9EA9A4C381B6E01B832946E984 |
SHA-256: | F709D7EA01C60FA0756B3E170EC7FCE60EFD88499230B57C9064D38FC77C63A2 |
SHA-512: | AA06D2E349B13ADD0C70ADBE8268B0C03B39EC1AA4BDAD6E8CFD1A25F9CB898C9ED653364A1DA03814D8769D111E0DB33DDDFD38E172BD661537642363CD5FE2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8192 |
Entropy (8bit): | 0.11086134938174995 |
Encrypted: | false |
SSDEEP: | 3:DnSLEvjUOMjSXl/bJdAtixx/CYll:OyPMj8t4O/ |
MD5: | F88FE82FEE638B48780BE86DCD42F59B |
SHA1: | 68CEFD6EF8B846506CCBD4615FF9BBE46281EA49 |
SHA-256: | 3C0871C0DD8B3D2A331A974F01A144C665E3476291AB203118C257FEFBB3483D |
SHA-512: | 9105C803F7A75AFC6D3502A7BC89B9719A32AAB46909C010B3ACA2D408E29E534138946B62DD0EF0DD99EFD8306AE0BED2DFEA4964C5EBFE776098B98A6E1BE5 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 55 |
Entropy (8bit): | 4.306461250274409 |
Encrypted: | false |
SSDEEP: | 3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y |
MD5: | DCA83F08D448911A14C22EBCACC5AD57 |
SHA1: | 91270525521B7FE0D986DB19747F47D34B6318AD |
SHA-256: | 2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9 |
SHA-512: | 96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Windows Defender\MpCmdRun.exe |
File Type: | |
Category: | modified |
Size (bytes): | 906 |
Entropy (8bit): | 3.132534585600141 |
Encrypted: | false |
SSDEEP: | 12:58KRBubdpkoF1AG3rYyGljok9+MlWlLehB4yAq7ejCZyGljB:OaqdmuF3roljL+kWReH4yJ7MAljB |
MD5: | 565473E4D9B99CA298056458A32F5C4A |
SHA1: | 41B263FB8EF34508A270C1131E851F03AA21152C |
SHA-256: | AB279EB907E7309130B86D1709ACA6F349EEDD5AC22FA34388685A2EAC32FDB2 |
SHA-512: | FC96109E8D6901953C225F7483A935CAF1068F4DD2A10CD8F645FFD84A0C74374D0124F09723001883DFAA86631F56D770301BC043A38515F880C64F3CC09839 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.625638741868008 |
TrID: |
|
File name: | aEdlObiYav.exe |
File size: | 516346 |
MD5: | ae03a6f8fb74d401b403647d28e21574 |
SHA1: | 6ee320cedc77499f5df9ae9c93ef42c0d91f3ce8 |
SHA256: | 1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d |
SHA512: | ab2a30d32722419c72808032ae01b9443bfb8ea80ec52426aeb42ac21a84f0a2b04dd6f311c13b06bcaa37b7874b4e311ff8dc0c94ccfa42cbf6dcac0e2facab |
SSDEEP: | 6144:PebeJq15KNVIjux9tE9dVyAhwoajYPNo4ahRFPhpxOtYS0xefNPf+R6axxVccVPo:W5KNgux9t0VyAShUPCRdUi8cVRPw17i |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*1..Db..Db..Dbd..b..Db..]b..Db...b..Db..Kb..Db...ba.Db..cb..Dbd..b..Db..Eb..Db..$b..Db...b..Db...b..Db...b..DbRich..Db....... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x419b95 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x5D9A0326 [Sun Oct 6 15:07:18 2019 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 92bdfd5dfdc574760c27f87d6f10fe98 |
Entrypoint Preview |
---|
Instruction |
---|
push 00000060h |
push 0045C7A8h |
call 00007FD794FDE160h |
mov edi, 00000094h |
mov eax, edi |
call 00007FD794FDE2B8h |
mov dword ptr [ebp-18h], esp |
mov esi, esp |
mov dword ptr [esi], edi |
push esi |
call dword ptr [004552A0h] |
mov ecx, dword ptr [esi+10h] |
mov dword ptr [0047B960h], ecx |
mov eax, dword ptr [esi+04h] |
mov dword ptr [0047B96Ch], eax |
mov edx, dword ptr [esi+08h] |
mov dword ptr [0047B970h], edx |
mov esi, dword ptr [esi+0Ch] |
and esi, 00007FFFh |
mov dword ptr [0047B964h], esi |
cmp ecx, 02h |
je 00007FD794FDEACEh |
or esi, 00008000h |
mov dword ptr [0047B964h], esi |
shl eax, 08h |
add eax, edx |
mov dword ptr [0047B968h], eax |
xor esi, esi |
push esi |
mov edi, dword ptr [00455320h] |
call edi |
cmp word ptr [eax], 5A4Dh |
jne 00007FD794FDEAE1h |
mov ecx, dword ptr [eax+3Ch] |
add ecx, eax |
cmp dword ptr [ecx], 00004550h |
jne 00007FD794FDEAD4h |
movzx eax, word ptr [ecx+18h] |
cmp eax, 0000010Bh |
je 00007FD794FDEAE1h |
cmp eax, 0000020Bh |
je 00007FD794FDEAC7h |
mov dword ptr [ebp-1Ch], esi |
jmp 00007FD794FDEAE9h |
cmp dword ptr [ecx+00000084h], 0Eh |
jbe 00007FD794FDEAB4h |
xor eax, eax |
cmp dword ptr [ecx+000000F8h], esi |
jmp 00007FD794FDEAD0h |
cmp dword ptr [ecx+74h], 0Eh |
jbe 00007FD794FDEAA4h |
xor eax, eax |
cmp dword ptr [ecx+000000E8h], esi |
setne al |
mov dword ptr [ebp-1Ch], eax |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x68cf0 | 0x53 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x66224 | 0x104 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7e000 | 0x3ebc | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x55880 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x60ed0 | 0x48 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x55000 | 0x878 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x66174 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x53ee9 | 0x54000 | False | 0.505048479353 | DOS executable (COM) | 6.50788658927 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x55000 | 0x13d43 | 0x14000 | False | 0.315026855469 | data | 5.20395932053 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x69000 | 0x14234 | 0x11000 | False | 0.795568129596 | data | 7.54511629913 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x7e000 | 0x3ebc | 0x4000 | False | 0.259643554688 | data | 3.45842321085 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_CURSOR | 0x7eb68 | 0x134 | data | English | United States |
RT_CURSOR | 0x7ec9c | 0xb4 | data | English | United States |
RT_CURSOR | 0x7ed50 | 0x134 | AmigaOS bitmap font | English | United States |
RT_CURSOR | 0x7ee84 | 0x134 | data | English | United States |
RT_CURSOR | 0x7efb8 | 0x134 | data | English | United States |
RT_CURSOR | 0x7f0ec | 0x134 | data | English | United States |
RT_CURSOR | 0x7f220 | 0x134 | data | English | United States |
RT_CURSOR | 0x7f354 | 0x134 | data | English | United States |
RT_CURSOR | 0x7f488 | 0x134 | data | English | United States |
RT_CURSOR | 0x7f5bc | 0x134 | data | English | United States |
RT_CURSOR | 0x7f6f0 | 0x134 | data | English | United States |
RT_CURSOR | 0x7f824 | 0x134 | data | English | United States |
RT_CURSOR | 0x7f958 | 0x134 | AmigaOS bitmap font | English | United States |
RT_CURSOR | 0x7fa8c | 0x134 | data | English | United States |
RT_CURSOR | 0x7fbc0 | 0x134 | data | English | United States |
RT_CURSOR | 0x7fcf4 | 0x134 | data | English | United States |
RT_BITMAP | 0x7fe28 | 0xb8 | data | English | United States |
RT_BITMAP | 0x7fee0 | 0x144 | data | English | United States |
RT_DIALOG | 0x80024 | 0x184 | data | English | United States |
RT_DIALOG | 0x801a8 | 0xf4 | data | English | United States |
RT_DIALOG | 0x8029c | 0x100 | data | English | United States |
RT_DIALOG | 0x8039c | 0xe8 | data | English | United States |
RT_STRING | 0x80484 | 0x44 | data | English | United States |
RT_STRING | 0x804c8 | 0x48 | data | English | United States |
RT_STRING | 0x80510 | 0x2c | data | English | United States |
RT_STRING | 0x8053c | 0x38 | data | English | United States |
RT_STRING | 0x80574 | 0x48 | data | English | United States |
RT_STRING | 0x805bc | 0x64 | data | English | United States |
RT_STRING | 0x80620 | 0x46 | data | English | United States |
RT_STRING | 0x80668 | 0x82 | data | English | United States |
RT_STRING | 0x806ec | 0x2a | data | English | United States |
RT_STRING | 0x80718 | 0x192 | data | English | United States |
RT_STRING | 0x808ac | 0x4e2 | data | English | United States |
RT_STRING | 0x80d90 | 0x31a | data | English | United States |
RT_STRING | 0x810ac | 0x2dc | data | English | United States |
RT_STRING | 0x81388 | 0x8a | data | English | United States |
RT_STRING | 0x81414 | 0xac | data | English | United States |
RT_STRING | 0x814c0 | 0xde | data | English | United States |
RT_STRING | 0x815a0 | 0x4c4 | data | English | United States |
RT_STRING | 0x81a64 | 0x264 | data | English | United States |
RT_STRING | 0x81cc8 | 0x2c | data | English | United States |
RT_STRING | 0x81cf4 | 0x42 | data | English | United States |
RT_STRING | 0x81d38 | 0x48 | data | English | United States |
RT_GROUP_CURSOR | 0x81d80 | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | English | United States |
RT_GROUP_CURSOR | 0x81da4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81db8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81dcc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81de0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81df4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81e08 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81e1c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81e30 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81e44 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81e58 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81e6c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81e80 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81e94 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
RT_GROUP_CURSOR | 0x81ea8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States |
Imports |
---|
DLL | Import |
---|---|
CRYPT32.dll | CertOpenStore |
KERNEL32.dll | GetStartupInfoA, GetCommandLineA, ExitProcess, HeapReAlloc, TerminateProcess, ExitThread, CreateThread, HeapSize, FatalAppExitA, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, SetConsoleCtrlHandler, RtlUnwind, GetLocaleInfoW, SetEnvironmentVariableA, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExA, MultiByteToWideChar, WideCharToMultiByte, GetLastError, GetVersion, lstrcmpiA, lstrlenW, lstrcmpiW, lstrlenA, CompareStringA, CompareStringW, GetEnvironmentVariableA, GetEnvironmentVariableW, GetStringTypeExA, GetStringTypeExW, SizeofResource, LockResource, LoadResource, FindResourceA, FreeResource, GlobalFree, GlobalUnlock, GlobalLock, LocalFree, lstrcpynA, FormatMessageA, GlobalAlloc, GlobalSize, MulDiv, CopyFileA, SetLastError, GetProcAddress, GetModuleHandleA, lstrcmpW, VirtualQuery, GetSystemInfo, VirtualAlloc, VirtualProtect, HeapFree, HeapAlloc, GetDiskFreeSpaceA, GetTempFileNameA, LocalLock, LocalUnlock, GetFileTime, GetFileAttributesA, SetFileAttributesA, SetFileTime, LocalFileTimeToFileTime, FileTimeToLocalFileTime, SetErrorMode, GetShortPathNameA, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, DeleteFileA, MoveFileA, GetCurrentDirectoryA, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, SystemTimeToFileTime, FileTimeToSystemTime, GetOEMCP, GetCPInfo, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, GlobalFlags, DeleteCriticalSection, InitializeCriticalSection, RaiseException, CreateEventA, SuspendThread, SetEvent, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, GetCurrentThread, lstrcmpA, GetModuleFileNameA, lstrcatA, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, InterlockedDecrement, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, LoadLibraryA, FreeLibrary, SetStdHandle |
USER32.dll | IsClipboardFormatAvailable, MessageBeep, GetTabbedTextExtentA, GetDCEx, LockWindowUpdate, SetParent, InvalidateRect, InsertMenuItemA, CreatePopupMenu, SetRectEmpty, BringWindowToTop, SetMenu, TranslateAcceleratorA, DestroyIcon, DeleteMenu, wsprintfA, WaitMessage, GetWindowThreadProcessId, ReleaseCapture, WindowFromPoint, SetCapture, LoadCursorA, GetSysColorBrush, GetDialogBaseUnits, GetMessageA, TranslateMessage, GetCursorPos, ValidateRect, ShowOwnedPopups, SetCursor, PostQuitMessage, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, DestroyMenu, GetMenuItemInfoA, InflateRect, SetMenuItemBitmaps, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, ScrollWindowEx, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, IsDlgButtonChecked, SetDlgItemInt, GetDlgItemTextA, GetDlgItemInt, CheckRadioButton, CheckDlgButton, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, KillTimer, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, GetFocus, SetFocus, IsChild, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetLastActivePopup, DispatchMessageA, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, PeekMessageA, MapWindowPoints, ScrollWindow, MessageBoxA, TrackPopupMenuEx, TrackPopupMenu, GetKeyState, SetScrollRange, SetDlgItemTextA, CharLowerA, CharLowerW, CharUpperA, CharUpperW, SendMessageA, EnableWindow, DrawIcon, AppendMenuA, GetSystemMenu, IsIconic, GetClientRect, SetActiveWindow, LoadIconA, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, IsWindowVisible, UpdateWindow, GetMenu, PostMessageA, GetSysColor, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetTimer, SetRect, UnionRect, IsRectEmpty, MapVirtualKeyA, GetClassInfoA, RegisterClassA, UnregisterClassA, SetWindowPlacement, GetDlgCtrlID, DefWindowProcA, SetWindowLongA, SetWindowPos, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetKeyNameTextA, LoadMenuA, UnpackDDElParam, ReuseDDElParam, GetClassLongA, LoadAcceleratorsA, CallWindowProcA, LoadStringW, GetSystemMetrics, EndDialog, GetNextDlgTabItem, GetParent, IsWindowEnabled, GetDlgItem, GetWindowLongA, IsWindow, DestroyWindow, CreateDialogIndirectParamA, GetActiveWindow, GetDesktopWindow, RemoveMenu, GetSubMenu, GetMenuItemCount, InsertMenuA, GetWindowRect, CopyRect, PtInRect, GetWindow, GetMenuState, GetMenuStringA, GetMenuItemID |
GDI32.dll | SetMapperFlags, SetArcDirection, SetColorAdjustment, DeleteObject, SelectClipRgn, GetClipRgn, CreateRectRgn, SelectClipPath, GetViewportExtEx, GetWindowExtEx, GetPixel, StartDocA, PtVisible, RectVisible, TextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetCurrentPositionEx, ArcTo, PolyDraw, PolylineTo, PolyBezierTo, SetTextCharacterExtra, DeleteDC, CreateDIBPatternBrushPt, CreatePatternBrush, GetStockObject, SelectPalette, PlayMetaFileRecord, GetObjectType, EnumMetaFile, PlayMetaFile, CreatePen, ExtCreatePen, CreateSolidBrush, CreateHatchBrush, GetTextMetricsA, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, PatBlt, DPtoLP, CreateCompatibleBitmap, StretchDIBits, GetCharWidthA, CreateFontA, GetBkColor, StartPage, EndPage, SetAbortProc, AbortDoc, EndDoc, SetTextJustification, SetTextAlign, MoveToEx, LineTo, OffsetClipRgn, IntersectClipRect, ExcludeClipRect, SetMapMode, SetStretchBltMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, GetTextExtentPoint32A, ExtTextOutA, BitBlt, CreateCompatibleDC, CreateFontIndirectA, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, GetDCOrgEx, CreateDCA, CopyMetaFileA, ExtSelectClipRgn, GetDeviceCaps |
comdlg32.dll | PageSetupDlgA, FindTextA, ReplaceTextA, GetOpenFileNameA, CommDlgExtendedError, PrintDlgA, GetFileTitleA, GetSaveFileNameA |
WINSPOOL.DRV | OpenPrinterA, DocumentPropertiesA, ClosePrinter, GetJobA |
ADVAPI32.dll | GetFileSecurityA, RegCloseKey, RegSetValueA, RegOpenKeyA, RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegQueryValueA, RegCreateKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyA, SetFileSecurityW, SetFileSecurityA |
SHELL32.dll | SHGetFileInfoA, DragFinish, DragQueryFileA, ExtractIconA |
COMCTL32.dll | ImageList_Draw, ImageList_GetImageInfo, ImageList_Read, ImageList_Write, ImageList_Destroy, ImageList_Create, ImageList_LoadImageA, ImageList_Merge |
SHLWAPI.dll | PathRemoveExtensionA, PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA |
ole32.dll | WriteClassStg, OleRegGetUserType, SetConvertStg, CoTaskMemFree, ReadFmtUserTypeStg, ReadClassStg, StringFromCLSID, CoTreatAsClass, CreateBindCtx, CoTaskMemAlloc, ReleaseStgMedium, OleDuplicateData, CoDisconnectObject, CoCreateInstance, StringFromGUID2, CLSIDFromString, WriteFmtUserTypeStg |
OLEAUT32.dll | VariantClear, VariantChangeType, VariantInit, SysAllocStringLen, SysFreeString, SysStringLen, SysAllocStringByteLen, SysStringByteLen, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElemsize, SafeArrayGetDim, SafeArrayCreate, SafeArrayRedim, VariantCopy, SafeArrayAllocData, SafeArrayAllocDescriptor, SafeArrayCopy, SafeArrayGetElement, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayLock, SafeArrayUnlock, SafeArrayDestroy, SafeArrayDestroyData, SafeArrayDestroyDescriptor, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocString, SysReAllocStringLen, VarDateFromStr, VarBstrFromDec, VarDecFromStr, VarCyFromStr, VarBstrFromCy, VarBstrFromDate |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
mcfGvgupamvngNBNmgO | 1 | 0x401e04 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 26, 2021 12:15:13.856343985 CET | 49714 | 443 | 192.168.2.5 | 45.33.54.74 |
Mar 26, 2021 12:15:14.022622108 CET | 443 | 49714 | 45.33.54.74 | 192.168.2.5 |
Mar 26, 2021 12:15:14.533005953 CET | 49714 | 443 | 192.168.2.5 | 45.33.54.74 |
Mar 26, 2021 12:15:14.699125051 CET | 443 | 49714 | 45.33.54.74 | 192.168.2.5 |
Mar 26, 2021 12:15:15.204783916 CET | 49714 | 443 | 192.168.2.5 | 45.33.54.74 |
Mar 26, 2021 12:15:15.372411013 CET | 443 | 49714 | 45.33.54.74 | 192.168.2.5 |
Mar 26, 2021 12:15:19.258178949 CET | 49717 | 8080 | 192.168.2.5 | 209.141.41.136 |
Mar 26, 2021 12:15:22.257272959 CET | 49717 | 8080 | 192.168.2.5 | 209.141.41.136 |
Mar 26, 2021 12:15:28.364118099 CET | 49717 | 8080 | 192.168.2.5 | 209.141.41.136 |
Mar 26, 2021 12:15:45.480190039 CET | 49726 | 8080 | 192.168.2.5 | 104.236.246.93 |
Mar 26, 2021 12:15:48.662617922 CET | 49726 | 8080 | 192.168.2.5 | 104.236.246.93 |
Mar 26, 2021 12:15:54.663077116 CET | 49726 | 8080 | 192.168.2.5 | 104.236.246.93 |
Mar 26, 2021 12:16:10.887083054 CET | 49727 | 8080 | 192.168.2.5 | 198.199.114.69 |
Mar 26, 2021 12:16:13.883450985 CET | 49727 | 8080 | 192.168.2.5 | 198.199.114.69 |
Mar 26, 2021 12:16:19.883981943 CET | 49727 | 8080 | 192.168.2.5 | 198.199.114.69 |
Mar 26, 2021 12:16:37.280674934 CET | 49730 | 8080 | 192.168.2.5 | 152.89.236.214 |
Mar 26, 2021 12:16:37.298701048 CET | 8080 | 49730 | 152.89.236.214 | 192.168.2.5 |
Mar 26, 2021 12:16:37.808387041 CET | 49730 | 8080 | 192.168.2.5 | 152.89.236.214 |
Mar 26, 2021 12:16:37.826337099 CET | 8080 | 49730 | 152.89.236.214 | 192.168.2.5 |
Mar 26, 2021 12:16:38.338735104 CET | 49730 | 8080 | 192.168.2.5 | 152.89.236.214 |
Mar 26, 2021 12:16:38.357024908 CET | 8080 | 49730 | 152.89.236.214 | 192.168.2.5 |
Mar 26, 2021 12:16:44.243448973 CET | 49731 | 8080 | 192.168.2.5 | 87.106.136.232 |
Mar 26, 2021 12:16:44.263411045 CET | 8080 | 49731 | 87.106.136.232 | 192.168.2.5 |
Mar 26, 2021 12:16:44.776601076 CET | 49731 | 8080 | 192.168.2.5 | 87.106.136.232 |
Mar 26, 2021 12:16:44.796765089 CET | 8080 | 49731 | 87.106.136.232 | 192.168.2.5 |
Mar 26, 2021 12:16:45.307971954 CET | 49731 | 8080 | 192.168.2.5 | 87.106.136.232 |
Mar 26, 2021 12:16:45.328773975 CET | 8080 | 49731 | 87.106.136.232 | 192.168.2.5 |
Mar 26, 2021 12:16:49.226500034 CET | 49732 | 8080 | 192.168.2.5 | 178.210.51.222 |
Mar 26, 2021 12:16:52.230490923 CET | 49732 | 8080 | 192.168.2.5 | 178.210.51.222 |
Mar 26, 2021 12:16:58.230922937 CET | 49732 | 8080 | 192.168.2.5 | 178.210.51.222 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 26, 2021 12:14:41.512866974 CET | 54302 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:41.525654078 CET | 53 | 54302 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:41.585858107 CET | 53784 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:41.598005056 CET | 53 | 53784 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:41.610990047 CET | 65307 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:41.615739107 CET | 64344 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:41.623008013 CET | 53 | 65307 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:41.627897024 CET | 53 | 64344 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:42.167435884 CET | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:42.180625916 CET | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:43.448725939 CET | 61805 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:43.461241007 CET | 53 | 61805 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:44.423804998 CET | 54795 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:44.436858892 CET | 53 | 54795 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:45.104419947 CET | 49557 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:45.117428064 CET | 53 | 49557 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:46.996332884 CET | 61733 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:47.010894060 CET | 53 | 61733 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:48.214711905 CET | 65447 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:48.228995085 CET | 53 | 65447 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:49.268984079 CET | 52441 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:49.283057928 CET | 53 | 52441 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:50.040528059 CET | 62176 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:50.053486109 CET | 53 | 62176 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:51.121691942 CET | 59596 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:51.135163069 CET | 53 | 59596 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:51.804497004 CET | 65296 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:51.819228888 CET | 53 | 65296 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:14:53.942034006 CET | 63183 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:14:53.955611944 CET | 53 | 63183 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:15:09.783927917 CET | 60151 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:15:09.802167892 CET | 53 | 60151 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:15:17.823621988 CET | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:15:17.836400986 CET | 53 | 56969 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:15:37.598907948 CET | 55161 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:15:37.611623049 CET | 53 | 55161 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:15:39.159313917 CET | 54757 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:15:39.192080975 CET | 53 | 54757 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:15:44.632929087 CET | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:15:44.651496887 CET | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:16:18.667603016 CET | 60075 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:16:18.680677891 CET | 53 | 60075 | 8.8.8.8 | 192.168.2.5 |
Mar 26, 2021 12:16:18.968331099 CET | 55016 | 53 | 192.168.2.5 | 8.8.8.8 |
Mar 26, 2021 12:16:19.002011061 CET | 53 | 55016 | 8.8.8.8 | 192.168.2.5 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 12:14:48 |
Start date: | 26/03/2021 |
Path: | C:\Users\user\Desktop\aEdlObiYav.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 516346 bytes |
MD5 hash: | AE03A6F8FB74D401B403647D28E21574 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 12:14:48 |
Start date: | 26/03/2021 |
Path: | C:\Users\user\Desktop\aEdlObiYav.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 516346 bytes |
MD5 hash: | AE03A6F8FB74D401B403647D28E21574 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 12:14:57 |
Start date: | 26/03/2021 |
Path: | C:\Windows\SysWOW64\picturerus.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 516346 bytes |
MD5 hash: | AE03A6F8FB74D401B403647D28E21574 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 12:14:57 |
Start date: | 26/03/2021 |
Path: | C:\Windows\SysWOW64\picturerus.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 516346 bytes |
MD5 hash: | AE03A6F8FB74D401B403647D28E21574 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 12:15:06 |
Start date: | 26/03/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff797770000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:15:16 |
Start date: | 26/03/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff797770000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:15:17 |
Start date: | 26/03/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff797770000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:15:17 |
Start date: | 26/03/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff797770000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:15:18 |
Start date: | 26/03/2021 |
Path: | C:\Windows\System32\SgrmBroker.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff744c80000 |
File size: | 163336 bytes |
MD5 hash: | D3170A3F3A9626597EEE1888686E3EA6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:15:18 |
Start date: | 26/03/2021 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff797770000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:16:20 |
Start date: | 26/03/2021 |
Path: | C:\Program Files\Windows Defender\MpCmdRun.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff668430000 |
File size: | 455656 bytes |
MD5 hash: | A267555174BFA53844371226F482B86B |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:16:21 |
Start date: | 26/03/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7ecfc0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|