Windows Analysis Report Order Items.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: FormBook |
---|
{"C2 list": ["www.narrowpathwc.com/n8ba/"], "decoy": ["thefitflect.com", "anytourist.com", "blggz.xyz", "ascope.club", "obyeboss.com", "braun-mathematik.online", "mtsnurulislamsby.com", "jwpropertiestn.com", "animalds.com", "cunerier.com", "sillysocklife.com", "shopliyonamaaghin.net", "theredcymbalsco.com", "lostbikeproject.com", "ryggoqlmga.club", "realestatetriggers.com", "luvlauricephotography.com", "cheesehome.cloud", "5fashionfix.net", "wata-6-rwem.net", "ominvestment.net", "rrinuwsq643do2.xyz", "teamtacozzzz.com", "newjerseyreosales.com", "theresahovo.com", "wowmovies.today", "77k6tgikpbs39.net", "americagoldenwheels.com", "digitaladbasket.com", "gcagame.com", "arielatkins.net", "2020coaches.com", "effthisshit.com", "nycabl.com", "fbvanminh.com", "lovebirdsgifts.com", "anxietyxpill.com", "recaptcha-lnc.com", "aprendelspr.com", "expatinsur.com", "backtothesimplethings.com", "pcf-it.services", "wintonplaceoh.com", "designermotherhood.com", "naamt.com", "lifestylebykendra.com", "thehighstatusemporium.com", "oneninelacrosse.com", "mariasmoworldwide.com", "kitesurf-piraten.net", "atelierbond.com", "mynjelderlaw.com", "moucopia.com", "hauhome.club", "imroundtable.com", "thralink.com", "baoequities.com", "nassy.cloud", "goldenstatelabradoodles.com", "revenueremedyintensive.com", "dfendglobal.com", "pugliaandgastronomy.com", "cypios.net", "trinioware.com"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Possible Applocker Bypass | Show sources |
Source: | Author: juju4: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Yara detected FormBook | Show sources |
Source: | File source: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
E-Banking Fraud: |
---|
Yara detected FormBook | Show sources |
Source: | File source: |
System Summary: |
---|
Malicious sample detected (through community Yara rule) | Show sources |
Source: | Matched rule: | ||
Source: | Matched rule: |
Initial sample is a PE file and has a suspicious name | Show sources |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FFF30155076 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00469922 | |
Source: | Code function: | 0_2_00007FFF3015771A | |
Source: | Code function: | 0_2_00007FFF30157F1A |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM3 | Show sources |
Source: | File source: | ||
Source: | File source: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread delayed: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected FormBook | Show sources |
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected FormBook | Show sources |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scheduled Task/Job1 | Scheduled Task/Job1 | Process Injection11 | Masquerading1 | OS Credential Dumping | Security Software Discovery21 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Scheduled Task/Job1 | Disable or Modify Tools1 | LSASS Memory | Process Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol11 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion21 | Security Account Manager | Virtualization/Sandbox Evasion21 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection11 | NTDS | File and Directory Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information2 | LSA Secrets | System Information Discovery12 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing2 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
39% | Virustotal | Browse | ||
44% | ReversingLabs | ByteCode-MSIL.Trojan.Pwsx | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
39% | Virustotal | Browse | ||
44% | ReversingLabs | ByteCode-MSIL.Trojan.Pwsx |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| low |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 458852 |
Start date: | 03.08.2021 |
Start time: | 19:49:26 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 3s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Order Items.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 32 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@14/4@0/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
19:50:20 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\Order Items.exe |
File Type: | |
Category: | modified |
Size (bytes): | 1742 |
Entropy (8bit): | 5.381353871108486 |
Encrypted: | false |
SSDEEP: | 48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoA9:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qT |
MD5: | 978918F6120A43D1FA5899938A5A542F |
SHA1: | 6567A2E687B40BFD3A46246F51F4C89D93D89455 |
SHA-256: | F814F290A540B3FD755D05F3434317D7B26F2C33D2087F9E63233CD88AB510FC |
SHA-512: | 1DF2AF5A3F8212BF591AAA366FE96F167F3E6D43746E07B7CD44F1B2F06C63B1D290412891AD0B4D0A82D1DFD6EB2EB7D70981C35941F370DC97729E9205DD53 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\Order Items.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1656 |
Entropy (8bit): | 5.173416876922872 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBatn:cbhH7MlNQ8/rydbz9I3YODOLNdq3a |
MD5: | FCDAB3E472B354388C2A45AA6B0337D2 |
SHA1: | A27491684A672DFD53C3FBAE767E71B7A86DD3DE |
SHA-256: | C00EA4503B5C908DDDF0BEDE1D3369D04117B4DF7D70D9AEF0176643AB5D5832 |
SHA-512: | AD17CA8F5C531C14186B45493616C2A2B90FB6C7079321244AA9FD019B1D1B8369FD872C2E911B37BD0A6FB2E202E65D24B334F206377D71ACC8672FCCA0C46F |
Malicious: | true |
Preview: |
|
Process: | C:\Users\user\Desktop\Order Items.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 738304 |
Entropy (8bit): | 7.429495166902179 |
Encrypted: | false |
SSDEEP: | 12288:ZeyKSgW4uoEGLBBBBBBBBBBBXBBBBBBBBBBBCvo5xjioLYdoRhB8uyg0kMM9V7sg:EZWZwlCUglg0k99hTe0/h3AtEN5 |
MD5: | 32448AD048712424B7A5458913EF81AE |
SHA1: | 7EA927A711AD1222FEEC156CEED9551BF95B8291 |
SHA-256: | 441CFED8F57C89CE355E5BA64417BF5B6DC409AC122936DA28BE46227CEA0B8E |
SHA-512: | 77BFB62463CB193BF1EF364BE2F9D7F954396D2AA9ED6A8B50C03B658A5F7D6989A3FAD11BCE916F204B564B359A3FB299E59BAAC4C32491226A03A82FAE156A |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Process: | C:\Users\user\Desktop\Order Items.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.429495166902179 |
TrID: |
|
File name: | Order Items.exe |
File size: | 738304 |
MD5: | 32448ad048712424b7a5458913ef81ae |
SHA1: | 7ea927a711ad1222feec156ceed9551bf95b8291 |
SHA256: | 441cfed8f57c89ce355e5ba64417bf5b6dc409ac122936da28be46227cea0b8e |
SHA512: | 77bfb62463cb193bf1ef364be2f9d7f954396d2aa9ed6a8b50c03b658a5f7d6989a3fad11bce916f204b564b359a3fb299e59baac4c32491226a03a82fae156a |
SSDEEP: | 12288:ZeyKSgW4uoEGLBBBBBBBBBBBXBBBBBBBBBBBCvo5xjioLYdoRhB8uyg0kMM9V7sg:EZWZwlCUglg0k99hTe0/h3AtEN5 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.........."...P..0...........N... ...`....@.. ....................................@................................ |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4b4ef6 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x6108A2E3 [Tue Aug 3 01:58:59 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb4ea4 | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb6000 | 0xfe4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb8000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xb2efc | 0xb3000 | False | 0.785640439508 | data | 7.43608385702 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0xb6000 | 0xfe4 | 0x1000 | False | 0.455322265625 | data | 5.68154668653 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xb8000 | 0xc | 0x200 | False | 0.044921875 | data | 0.101910425663 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0xb6090 | 0x380 | data | ||
RT_MANIFEST | 0xb6420 | 0xbbe | XML 1.0 document, UTF-8 Unicode (with BOM) text |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | Copyright 2016 |
Assembly Version | 1.0.0.0 |
InternalName | NonEventAttribu.exe |
FileVersion | 1.0.0.0 |
CompanyName | flextronics |
LegalTrademarks | flex |
Comments | flex spare part room |
ProductName | Spare Part |
ProductVersion | 1.0.0.0 |
FileDescription | Spare Part |
OriginalFilename | NonEventAttribu.exe |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 3, 2021 19:50:13.830025911 CEST | 49696 | 443 | 192.168.2.7 | 20.82.209.183 |
Aug 3, 2021 19:50:16.082329035 CEST | 49676 | 443 | 192.168.2.7 | 204.79.197.200 |
Aug 3, 2021 19:50:16.082426071 CEST | 49676 | 443 | 192.168.2.7 | 204.79.197.200 |
Aug 3, 2021 19:50:16.082483053 CEST | 49676 | 443 | 192.168.2.7 | 204.79.197.200 |
Aug 3, 2021 19:50:16.082521915 CEST | 49676 | 443 | 192.168.2.7 | 204.79.197.200 |
Aug 3, 2021 19:50:16.082571983 CEST | 49676 | 443 | 192.168.2.7 | 204.79.197.200 |
Aug 3, 2021 19:50:16.082593918 CEST | 49676 | 443 | 192.168.2.7 | 204.79.197.200 |
Aug 3, 2021 19:50:16.082607985 CEST | 49676 | 443 | 192.168.2.7 | 204.79.197.200 |
Aug 3, 2021 19:50:16.082632065 CEST | 49676 | 443 | 192.168.2.7 | 204.79.197.200 |
Aug 3, 2021 19:50:16.093976974 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.094007015 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.094170094 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.094238997 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.094511986 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.094536066 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.094614029 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.094661951 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.094681025 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.094805002 CEST | 49676 | 443 | 192.168.2.7 | 204.79.197.200 |
Aug 3, 2021 19:50:16.094832897 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.094954967 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.094976902 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.095066071 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.095171928 CEST | 49676 | 443 | 192.168.2.7 | 204.79.197.200 |
Aug 3, 2021 19:50:16.148088932 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:50:16.148457050 CEST | 49676 | 443 | 192.168.2.7 | 204.79.197.200 |
Aug 3, 2021 19:51:07.761085987 CEST | 80 | 49678 | 93.184.220.29 | 192.168.2.7 |
Aug 3, 2021 19:51:07.761324883 CEST | 49678 | 80 | 192.168.2.7 | 93.184.220.29 |
Aug 3, 2021 19:51:08.624969959 CEST | 80 | 49681 | 93.184.220.29 | 192.168.2.7 |
Aug 3, 2021 19:51:08.625256062 CEST | 49681 | 80 | 192.168.2.7 | 93.184.220.29 |
Aug 3, 2021 19:51:10.320543051 CEST | 49692 | 443 | 192.168.2.7 | 51.103.5.186 |
Aug 3, 2021 19:51:10.346434116 CEST | 443 | 49692 | 51.103.5.186 | 192.168.2.7 |
Aug 3, 2021 19:51:10.491842031 CEST | 49692 | 443 | 192.168.2.7 | 51.103.5.186 |
Aug 3, 2021 19:51:11.193309069 CEST | 49693 | 443 | 192.168.2.7 | 131.253.33.200 |
Aug 3, 2021 19:51:11.193921089 CEST | 49694 | 443 | 192.168.2.7 | 131.253.33.200 |
Aug 3, 2021 19:51:56.346443892 CEST | 49681 | 80 | 192.168.2.7 | 93.184.220.29 |
Aug 3, 2021 19:51:56.346566916 CEST | 49680 | 443 | 192.168.2.7 | 40.126.31.141 |
Aug 3, 2021 19:51:56.346723080 CEST | 49690 | 443 | 192.168.2.7 | 40.126.31.141 |
Aug 3, 2021 19:51:56.363871098 CEST | 80 | 49681 | 93.184.220.29 | 192.168.2.7 |
Aug 3, 2021 19:51:56.363969088 CEST | 49681 | 80 | 192.168.2.7 | 93.184.220.29 |
Aug 3, 2021 19:51:56.391222954 CEST | 443 | 49680 | 40.126.31.141 | 192.168.2.7 |
Aug 3, 2021 19:51:56.391253948 CEST | 443 | 49690 | 40.126.31.141 | 192.168.2.7 |
Aug 3, 2021 19:51:56.391360998 CEST | 49680 | 443 | 192.168.2.7 | 40.126.31.141 |
Aug 3, 2021 19:51:56.392337084 CEST | 49690 | 443 | 192.168.2.7 | 40.126.31.141 |
Aug 3, 2021 19:51:56.830703020 CEST | 49691 | 443 | 192.168.2.7 | 40.126.31.141 |
Aug 3, 2021 19:51:56.830902100 CEST | 49685 | 443 | 192.168.2.7 | 40.126.31.141 |
Aug 3, 2021 19:51:56.871507883 CEST | 443 | 49691 | 40.126.31.141 | 192.168.2.7 |
Aug 3, 2021 19:51:56.871624947 CEST | 49691 | 443 | 192.168.2.7 | 40.126.31.141 |
Aug 3, 2021 19:51:56.875788927 CEST | 443 | 49685 | 40.126.31.141 | 192.168.2.7 |
Aug 3, 2021 19:51:56.875920057 CEST | 49685 | 443 | 192.168.2.7 | 40.126.31.141 |
Aug 3, 2021 19:52:09.201100111 CEST | 80 | 49678 | 93.184.220.29 | 192.168.2.7 |
Aug 3, 2021 19:52:09.201225996 CEST | 49678 | 80 | 192.168.2.7 | 93.184.220.29 |
Aug 3, 2021 19:52:10.338639975 CEST | 49692 | 443 | 192.168.2.7 | 51.103.5.186 |
Aug 3, 2021 19:52:10.364638090 CEST | 443 | 49692 | 51.103.5.186 | 192.168.2.7 |
Aug 3, 2021 19:52:10.409487963 CEST | 49692 | 443 | 192.168.2.7 | 51.103.5.186 |
Aug 3, 2021 19:52:21.330032110 CEST | 443 | 49676 | 204.79.197.200 | 192.168.2.7 |
Aug 3, 2021 19:52:21.422055006 CEST | 80 | 49678 | 93.184.220.29 | 192.168.2.7 |
Aug 3, 2021 19:52:21.422276974 CEST | 49678 | 80 | 192.168.2.7 | 93.184.220.29 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 3, 2021 19:50:11.686906099 CEST | 53 | 53775 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:12.340626001 CEST | 51837 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:12.365695000 CEST | 53 | 51837 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:13.031974077 CEST | 55411 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:13.060441017 CEST | 53 | 55411 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:13.393296003 CEST | 63668 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:13.428473949 CEST | 53 | 63668 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:13.678637028 CEST | 54640 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:13.711314917 CEST | 53 | 54640 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:14.371987104 CEST | 58739 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:14.399852991 CEST | 53 | 58739 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:15.609736919 CEST | 60338 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:15.637237072 CEST | 53 | 60338 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:16.302752972 CEST | 58717 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:16.327430010 CEST | 53 | 58717 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:17.020781040 CEST | 59762 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:17.045562983 CEST | 53 | 59762 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:18.107736111 CEST | 54329 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:18.164793015 CEST | 53 | 54329 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:19.518201113 CEST | 58052 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:19.550951958 CEST | 53 | 58052 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:20.841932058 CEST | 54008 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:20.867762089 CEST | 53 | 54008 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:22.496881008 CEST | 59451 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:22.521559000 CEST | 53 | 59451 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:23.257870913 CEST | 52914 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:23.290453911 CEST | 53 | 52914 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:24.124058008 CEST | 64569 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:24.151578903 CEST | 53 | 64569 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:25.499526978 CEST | 52816 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:25.526998043 CEST | 53 | 52816 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:26.487519979 CEST | 50781 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:26.512520075 CEST | 53 | 50781 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:27.455890894 CEST | 54230 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:27.488763094 CEST | 53 | 54230 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:28.342453957 CEST | 54911 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:28.367074966 CEST | 53 | 54911 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:29.368526936 CEST | 49958 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:29.396502018 CEST | 53 | 49958 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:30.400240898 CEST | 50860 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:30.428235054 CEST | 53 | 50860 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:31.204749107 CEST | 50452 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:31.240478992 CEST | 53 | 50452 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:32.544739962 CEST | 59730 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:32.581068039 CEST | 53 | 59730 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:50:47.753154993 CEST | 59310 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:50:47.796314001 CEST | 53 | 59310 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:06.496838093 CEST | 51919 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:06.530807018 CEST | 53 | 51919 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:06.749042034 CEST | 64296 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:06.801161051 CEST | 53 | 64296 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:07.290900946 CEST | 56680 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:07.323693991 CEST | 53 | 56680 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:07.662934065 CEST | 58820 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:07.698710918 CEST | 53 | 58820 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:07.987816095 CEST | 60983 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:08.047611952 CEST | 53 | 60983 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:08.241461992 CEST | 49247 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:08.304331064 CEST | 53 | 49247 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:08.711611032 CEST | 52286 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:08.744201899 CEST | 53 | 52286 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:09.209388018 CEST | 56064 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:09.244834900 CEST | 53 | 56064 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:09.892163038 CEST | 63744 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:09.927743912 CEST | 53 | 63744 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:10.453985929 CEST | 61457 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:10.489726067 CEST | 53 | 61457 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:11.456007957 CEST | 58367 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:11.491409063 CEST | 53 | 58367 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:12.898469925 CEST | 60599 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:12.923312902 CEST | 53 | 60599 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:13.402565956 CEST | 59571 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:13.438344002 CEST | 53 | 59571 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:15.418463945 CEST | 52689 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:15.452251911 CEST | 53 | 52689 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:19.206979990 CEST | 50290 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:19.239559889 CEST | 53 | 50290 | 8.8.8.8 | 192.168.2.7 |
Aug 3, 2021 19:51:56.020056963 CEST | 60427 | 53 | 192.168.2.7 | 8.8.8.8 |
Aug 3, 2021 19:51:56.063664913 CEST | 53 | 60427 | 8.8.8.8 | 192.168.2.7 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 19:50:19 |
Start date: | 03/08/2021 |
Path: | C:\Users\user\Desktop\Order Items.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x460000 |
File size: | 738304 bytes |
MD5 hash: | 32448AD048712424B7A5458913EF81AE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 19:50:22 |
Start date: | 03/08/2021 |
Path: | C:\Windows\System32\schtasks.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff644060000 |
File size: | 226816 bytes |
MD5 hash: | 838D346D1D28F00783B7A6C6BD03A0DA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 19:50:23 |
Start date: | 03/08/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff774ee0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:50:23 |
Start date: | 03/08/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x16033ac0000 |
File size: | 258144 bytes |
MD5 hash: | 8B9E68304AF4B81C9AB70CB2220EBA74 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 19:50:24 |
Start date: | 03/08/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x1c212d40000 |
File size: | 258144 bytes |
MD5 hash: | 8B9E68304AF4B81C9AB70CB2220EBA74 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 19:50:24 |
Start date: | 03/08/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x11a0000 |
File size: | 258144 bytes |
MD5 hash: | 8B9E68304AF4B81C9AB70CB2220EBA74 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 19:50:24 |
Start date: | 03/08/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x287c7b30000 |
File size: | 258144 bytes |
MD5 hash: | 8B9E68304AF4B81C9AB70CB2220EBA74 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 19:50:25 |
Start date: | 03/08/2021 |
Path: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x1865f020000 |
File size: | 258144 bytes |
MD5 hash: | 8B9E68304AF4B81C9AB70CB2220EBA74 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 00007FFF30155076, Relevance: .2, Instructions: 186COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30151203, Relevance: 1.8, Instructions: 1780COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF3015273E, Relevance: .4, Instructions: 445COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF301553F3, Relevance: .2, Instructions: 166COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF3015AD90, Relevance: .1, Instructions: 147COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30158968, Relevance: .1, Instructions: 130COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30154B19, Relevance: .1, Instructions: 112COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30154C53, Relevance: .1, Instructions: 91COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF301543D8, Relevance: .1, Instructions: 88COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30154410, Relevance: .1, Instructions: 84COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF3015AE4F, Relevance: .1, Instructions: 81COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30154108, Relevance: .1, Instructions: 80COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30155122, Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30154100, Relevance: .1, Instructions: 71COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF301541A8, Relevance: .1, Instructions: 71COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30153B00, Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30154110, Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30153553, Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF3015AB79, Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF301541A0, Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30159BE2, Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF3015AB43, Relevance: .1, Instructions: 59COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF3015A7D8, Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30153B47, Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF301507E9, Relevance: .1, Instructions: 51COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30153CE9, Relevance: .0, Instructions: 50COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30154A6E, Relevance: .0, Instructions: 49COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF3015047B, Relevance: .0, Instructions: 47COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF301549FC, Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF3015342B, Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF3015522C, Relevance: .0, Instructions: 36COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30154928, Relevance: .0, Instructions: 35COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF301540F8, Relevance: .0, Instructions: 30COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF3015350A, Relevance: .0, Instructions: 28COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF301511F5, Relevance: .0, Instructions: 23COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30151071, Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30151108, Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30151147, Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30151185, Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30151028, Relevance: .0, Instructions: 19COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF3015943C, Relevance: .0, Instructions: 18COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30159B93, Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF301555A0, Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30151100, Relevance: .0, Instructions: 13COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30159B35, Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30159BC1, Relevance: .0, Instructions: 12COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FFF30158E5B, Relevance: .0, Instructions: 9COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Strings |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |