Windows Analysis Report 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe
Overview
General Information
Detection
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: DCRat |
---|
{"SCRT": "{\"u\":\"#\",\"d\":\"(\",\"M\":\"<\",\"2\":\"%\",\"D\":\">\",\"8\":\"_\",\"9\":\"~\",\"O\":\"&\",\"I\":\"|\",\"w\":\")\",\"X\":\"!\",\"1\":\"-\",\"x\":\",\",\"y\":\".\",\"Q\":\";\",\"A\":\" \",\"p\":\"^\",\"Y\":\"@\",\"W\":\"`\",\"G\":\"*\",\"i\":\"$\",\"Z\":\"+\"}", "PCRT": "{\"C\":\")\",\"F\":\"*\",\"Q\":\"!\",\"2\":\"@\",\"V\":\" \",\"B\":\"^\",\"U\":\"$\",\"T\":\"<\",\"o\":\"&\",\"R\":\"+\",\"d\":\".\",\"c\":\";\",\"O\":\"%\",\"p\":\">\",\"E\":\"-\",\"S\":\",\",\"l\":\"~\",\"D\":\"_\",\"3\":\"|\",\"H\":\"(\",\"G\":\"#\",\"1\":\"`\"}", "TAG": "", "MUTEX": "DCR_MUTEX-OkjwC4qi8XjmDi2c70LT", "LDTM": false, "DBG": false, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true}, "AS": true, "ASO": false, "ASP": "%UsersFolder% - Fast", "AD": false}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
JoeSecurity_DCRat_1 | Yara detected DCRat | Joe Security | ||
Click to see the 11 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution | Show sources |
Source: | Author: Michael Haag: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Antivirus detection for dropped file | Show sources |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | File created: | Jump to behavior |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Code function: |
Source: | Command line argument: | ||
Source: | Command line argument: | ||
Source: | Command line argument: |
Source: | Process created: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | File created: | Jump to behavior |
Persistence and Installation Behavior: |
---|
Creates processes via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Drops PE files with benign system names | Show sources |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Creates an autostart registry key pointing to binary in C:\Windows | Show sources |
Source: | Registry value created or modified: | Jump to behavior |
Creates multiple autostart registry keys | Show sources |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | Last function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window found: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | API call chain: |
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Process token adjusted: | ||
Source: | Process token adjusted: | ||
Source: | Process token adjusted: | ||
Source: | Process token adjusted: | ||
Source: | Process token adjusted: | ||
Source: | Process token adjusted: |
Source: | Code function: |
Source: | Memory allocated: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information: |
---|
Yara detected DCRat | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected DCRat | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation11 | Scheduled Task/Job1 | Process Injection12 | Masquerading121 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Command and Scripting Interpreter2 | Registry Run Keys / Startup Folder21 | Scheduled Task/Job1 | Disable or Modify Tools1 | LSASS Memory | Query Registry1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Scheduled Task/Job1 | DLL Side-Loading1 | Registry Run Keys / Startup Folder21 | Virtualization/Sandbox Evasion21 | Security Account Manager | Security Software Discovery21 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | Scripting11 | Logon Script (Mac) | DLL Side-Loading1 | Process Injection12 | NTDS | Process Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Deobfuscate/Decode Files or Information1 | LSA Secrets | Virtualization/Sandbox Evasion21 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Scripting11 | Cached Domain Credentials | File and Directory Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Obfuscated Files or Information2 | DCSync | System Information Discovery37 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Software Packing1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | DLL Side-Loading1 | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | HEUR/AGEN.1141820 | ||
100% | Avira | HEUR/AGEN.1141820 | ||
100% | Avira | HEUR/AGEN.1141820 | ||
100% | Avira | HEUR/AGEN.1141820 | ||
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File | ||
100% | Avira | HEUR/AGEN.1141820 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| low | ||
false | high | |||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
47.254.235.229 | unknown | United States | 45102 | CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC | false |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 553369 |
Start date: | 14.01.2022 |
Start time: | 19:13:38 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 10m 28s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 28 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal92.troj.winEXE@18/12@0/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
19:14:52 | Task Scheduler | |
19:14:55 | Task Scheduler | |
19:14:55 | Task Scheduler | |
19:14:57 | Autostart | |
19:15:05 | Autostart | |
19:15:13 | Autostart | |
19:15:25 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 943 |
Entropy (8bit): | 5.913188613052131 |
Encrypted: | false |
SSDEEP: | 24:14lWm6wLRjn7hj5F6sXgL9grmqqVRu5IW:148wl5+vgVqVRuH |
MD5: | ECF7F945361F7926B9B63C419078DDF4 |
SHA1: | 9ECD8AEAB79A1920442CCB468451A8AB8CA560DE |
SHA-256: | 71A10906FD555AE5B93B9CAC9288933EF9720CCF934D425AE29200F1B2666FF2 |
SHA-512: | 3FAAAB6EAA6683A5191DF19C5F0437C69EB7769A90DFEE0347D4DC7DD55EC1C94E8DDB0604E31D3CC7C61FBCF0D52A8AC55AA6B56DF60F14A03DC4EF1EF3C8AD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1005056 |
Entropy (8bit): | 6.304363811100068 |
Encrypted: | false |
SSDEEP: | 12288:RrC9hUiTQ4XmycIJ83QYQzC76HKtkzWkeQwwcwFWnP4q65Iqn4:ChHlmyb8uonlHQwhn/r+4 |
MD5: | 4E66AE5C311A1AADC1241790C112525F |
SHA1: | 0E697DE0A696E498897118D193E4EBC854EAD1E2 |
SHA-256: | 08D8DB67DDAE643CE598DC41C4BF56156079461A79CDB2BDB5783EB6FD804B51 |
SHA-512: | E10C940EB260F9B1BC305A7B0AABA7760806B4712500223D3B9920F800546B44A02D11CE9A16DA17CABD5C986C68F535CD27387A8BD4F01929061FEDFFE6B5B9 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Pictures\Camera Roll\lsass.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1281 |
Entropy (8bit): | 5.367899416177239 |
Encrypted: | false |
SSDEEP: | 24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q |
MD5: | 7115A3215A4C22EF20AB9AF4160EE8F5 |
SHA1: | A4CAB34355971C1FBAABECEFA91458C4936F2C24 |
SHA-256: | A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2 |
SHA-512: | 2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe |
File Type: | |
Category: | modified |
Size (bytes): | 1740 |
Entropy (8bit): | 5.360872475306136 |
Encrypted: | false |
SSDEEP: | 48:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1hAHKKP5H+RHKl:iqnwmI0qerYqGgAoPtzG1eqKP5gql |
MD5: | 7AC9E3ED5E1926DAE60D44553AFE67FE |
SHA1: | 1EC2BB13633A3C21E2F3206696D89876B15E160F |
SHA-256: | 97BCE2B4536F07A3269FCCA71C9768C9D516D065BE0E538B17BADB90C32A6554 |
SHA-512: | D8070849646B1E8967C713800098073E68B0FF5EAB55E06A32E0C365A6D49E5FB1718340459B4710B4A8DC6CDE8EA1345F7935CD0C7E27A18BEF71B8309A5B27 |
Malicious: | false |
Preview: |
|
Process: | C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1281 |
Entropy (8bit): | 5.367899416177239 |
Encrypted: | false |
SSDEEP: | 24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q |
MD5: | 7115A3215A4C22EF20AB9AF4160EE8F5 |
SHA1: | A4CAB34355971C1FBAABECEFA91458C4936F2C24 |
SHA-256: | A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2 |
SHA-512: | 2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20 |
Malicious: | false |
Preview: |
|
Process: | C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 675 |
Entropy (8bit): | 5.891310729251569 |
Encrypted: | false |
SSDEEP: | 12:DOB1NmPsK15+T3g1O/ezt7yXH9CVQ8pLfLL/0rEPPzPcsVtEPvu2:SDQPj15+T34WeakzL/0IPPzksV8u2 |
MD5: | B026BC253DC1C8E4F743CD7CD6016E40 |
SHA1: | C8519D92F0ACDAE6CB9A29DF8CC89AEBDFF7CC22 |
SHA-256: | B7FC66800295ED68EA4045E6A3F88ECC9C47F4E8FF1B3412EA4F1DFD5FC8BA37 |
SHA-512: | EB8CE932671F72BC86B358E5EC159276FD78B0360E5007CDEE021C5A9560CADDCA7065C90B4AEA349414F61BC01038319B760D132CAFA38C3E155BDF9E9136A9 |
Malicious: | false |
Preview: |
|
Process: | C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1005056 |
Entropy (8bit): | 6.304363811100068 |
Encrypted: | false |
SSDEEP: | 12288:RrC9hUiTQ4XmycIJ83QYQzC76HKtkzWkeQwwcwFWnP4q65Iqn4:ChHlmyb8uonlHQwhn/r+4 |
MD5: | 4E66AE5C311A1AADC1241790C112525F |
SHA1: | 0E697DE0A696E498897118D193E4EBC854EAD1E2 |
SHA-256: | 08D8DB67DDAE643CE598DC41C4BF56156079461A79CDB2BDB5783EB6FD804B51 |
SHA-512: | E10C940EB260F9B1BC305A7B0AABA7760806B4712500223D3B9920F800546B44A02D11CE9A16DA17CABD5C986C68F535CD27387A8BD4F01929061FEDFFE6B5B9 |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Process: | C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1005056 |
Entropy (8bit): | 6.304363811100068 |
Encrypted: | false |
SSDEEP: | 12288:RrC9hUiTQ4XmycIJ83QYQzC76HKtkzWkeQwwcwFWnP4q65Iqn4:ChHlmyb8uonlHQwhn/r+4 |
MD5: | 4E66AE5C311A1AADC1241790C112525F |
SHA1: | 0E697DE0A696E498897118D193E4EBC854EAD1E2 |
SHA-256: | 08D8DB67DDAE643CE598DC41C4BF56156079461A79CDB2BDB5783EB6FD804B51 |
SHA-512: | E10C940EB260F9B1BC305A7B0AABA7760806B4712500223D3B9920F800546B44A02D11CE9A16DA17CABD5C986C68F535CD27387A8BD4F01929061FEDFFE6B5B9 |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Process: | C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 669 |
Entropy (8bit): | 5.898005341738037 |
Encrypted: | false |
SSDEEP: | 12:DBYJ1n7P/N5PX3OB3f/TaTFYNejCf8SfSiiJfmVC75kKWrFW4gsFWbpy8ZxNG:6J1n7t5P83zaTUfxf/iJS3rw4gs58ZHG |
MD5: | C4F153DB69F9163AE21EE298A7A17987 |
SHA1: | D67E6B1131FBEEE20B1B50FB4DEA50323E113497 |
SHA-256: | 88080CAE6BB969A00918DA20FE8EEE690E508406E002AF17DF3E763F693D3592 |
SHA-512: | E66F992F8633B533D8B6FDFB90F4CC0E69860B1E136356C1276C1CCE0E497BF4856D56F3F5A25F826921A3E9FF98511444B9BFB6E7E178A5E1D1F52D2CFF1929 |
Malicious: | false |
Preview: |
|
Process: | C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 203 |
Entropy (8bit): | 5.773879727999392 |
Encrypted: | false |
SSDEEP: | 6:GFt2wqK+NkLzWbHK/818nZNDd3RL1wQJR80zSQbs:GFt7MCzWLKG4d3XBJ20+R |
MD5: | 757B50FD5D788BA7E256A3E77451C547 |
SHA1: | 1FCBE9134894A2332A01ADF3AD8A81E568280DEC |
SHA-256: | BCBB7284A180E1EF6153FAFADBD097F3A0D11B52DB126B0C2825D5151EC6A551 |
SHA-512: | A31A7D22B39F636F59D8755D18E84FF4F900A7B7505F711658528876E4D7E9655774FBCA15E4861FDB2479F7BDA5575FB24476CAEF76B4187E56D0A74371C01D |
Malicious: | false |
Preview: |
|
Process: | C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 63 |
Entropy (8bit): | 4.093612709800596 |
Encrypted: | false |
SSDEEP: | 3:I5QDVqXD/l2ARKWqXD/lcWWTTbAH:IO0N0NnyAH |
MD5: | C6324E617643334D666C56C7C5512F67 |
SHA1: | EB4ED012A1147A1B3B464E88FB7ABA700C73EAD2 |
SHA-256: | 38D60AD4DB38391E6FAEEE019BEFA3D2F72BE82B212244671354BD9BFBD372EE |
SHA-512: | 7FC8A7AE91396CDBB270E69B25ED50DF1B7178B6B5EE1042BB6CFA3BABE1599113A64B3BDE10DDA8DFA2B9A537FE17F527989730F9E9ECB1A0E45B74F5DB642F |
Malicious: | false |
Preview: |
|
Process: | C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1005056 |
Entropy (8bit): | 6.304363811100068 |
Encrypted: | false |
SSDEEP: | 12288:RrC9hUiTQ4XmycIJ83QYQzC76HKtkzWkeQwwcwFWnP4q65Iqn4:ChHlmyb8uonlHQwhn/r+4 |
MD5: | 4E66AE5C311A1AADC1241790C112525F |
SHA1: | 0E697DE0A696E498897118D193E4EBC854EAD1E2 |
SHA-256: | 08D8DB67DDAE643CE598DC41C4BF56156079461A79CDB2BDB5783EB6FD804B51 |
SHA-512: | E10C940EB260F9B1BC305A7B0AABA7760806B4712500223D3B9920F800546B44A02D11CE9A16DA17CABD5C986C68F535CD27387A8BD4F01929061FEDFFE6B5B9 |
Malicious: | true |
Antivirus: |
|
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.496971119283181 |
TrID: |
|
File name: | 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe |
File size: | 1322142 |
MD5: | a4d367f98a1fa3e594af0875379bda39 |
SHA1: | a82d6bafcc260138eb11b4a511ff6f3e80441ce3 |
SHA256: | 9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b8f3040eb8f3d29ef149 |
SHA512: | 94deb8455db4863909dfccb33f7ceb128ff6a041c6e36d04d679df74fa0506443466ada3f3c13352d665e54d0440b2f086a8a599e7db914bc5e54df08f6ba547 |
SSDEEP: | 24576:U2G/nvxW3Ww0tbhHlmyb8uonlHQwhn/r+47:UbA30dH36+yn/a4 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'.. |
File Icon |
---|
Icon Hash: | d49494d6c88ecec2 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x41ec40 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | fcf1390e9ce472c7270447fc5c61a0c1 |
Entrypoint Preview |
---|
Instruction |
---|
call 00007F06A04913D9h |
jmp 00007F06A0490DEDh |
cmp ecx, dword ptr [0043E668h] |
jne 00007F06A0490F65h |
ret |
jmp 00007F06A049155Eh |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
push esi |
push dword ptr [ebp+08h] |
mov esi, ecx |
call 00007F06A0483CF7h |
mov dword ptr [esi], 00435580h |
mov eax, esi |
pop esi |
pop ebp |
retn 0004h |
and dword ptr [ecx+04h], 00000000h |
mov eax, ecx |
and dword ptr [ecx+08h], 00000000h |
mov dword ptr [ecx+04h], 00435588h |
mov dword ptr [ecx], 00435580h |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
lea eax, dword ptr [ecx+04h] |
mov dword ptr [ecx], 00435568h |
push eax |
call 00007F06A04940FDh |
pop ecx |
ret |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
lea ecx, dword ptr [ebp-0Ch] |
call 00007F06A0483C8Eh |
push 0043B704h |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call 00007F06A0493812h |
int3 |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
lea ecx, dword ptr [ebp-0Ch] |
call 00007F06A0490F04h |
push 0043B91Ch |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call 00007F06A04937F5h |
int3 |
jmp 00007F06A0495843h |
jmp dword ptr [00433260h] |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push 00421EB0h |
push dword ptr fs:[00000000h] |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x3c820 | 0x34 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3c854 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x63000 | 0xdfd0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x71000 | 0x2268 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x3aac0 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x35508 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x33000 | 0x260 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x3bdc4 | 0x120 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x310ea | 0x31200 | False | 0.583959526081 | data | 6.70807539634 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x33000 | 0xa612 | 0xa800 | False | 0.452845982143 | data | 5.22174270925 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x3e000 | 0x23728 | 0x1000 | False | 0.36767578125 | data | 3.70881866699 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.didat | 0x62000 | 0x188 | 0x200 | False | 0.4453125 | data | 3.2982538068 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x63000 | 0xdfd0 | 0xe000 | False | 0.637032645089 | data | 6.63675064042 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x71000 | 0x2268 | 0x2400 | False | 0.768120659722 | data | 6.55486201017 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
PNG | 0x63650 | 0xb45 | PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced | English | United States |
PNG | 0x64198 | 0x15a9 | PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced | English | United States |
RT_ICON | 0x65748 | 0x568 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0x65cb0 | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0x66558 | 0xea8 | data | English | United States |
RT_ICON | 0x67400 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0x67868 | 0x10a8 | dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0x68910 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0x6aeb8 | 0x3d71 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
RT_DIALOG | 0x6f588 | 0x286 | data | English | United States |
RT_DIALOG | 0x6f358 | 0x13a | data | English | United States |
RT_DIALOG | 0x6f498 | 0xec | data | English | United States |
RT_DIALOG | 0x6f228 | 0x12e | data | English | United States |
RT_DIALOG | 0x6eef0 | 0x338 | data | English | United States |
RT_DIALOG | 0x6ec98 | 0x252 | data | English | United States |
RT_STRING | 0x6ff68 | 0x1e2 | data | English | United States |
RT_STRING | 0x70150 | 0x1cc | data | English | United States |
RT_STRING | 0x70320 | 0x1b8 | data | English | United States |
RT_STRING | 0x704d8 | 0x146 | Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500 | English | United States |
RT_STRING | 0x70620 | 0x446 | data | English | United States |
RT_STRING | 0x70a68 | 0x166 | data | English | United States |
RT_STRING | 0x70bd0 | 0x152 | data | English | United States |
RT_STRING | 0x70d28 | 0x10a | data | English | United States |
RT_STRING | 0x70e38 | 0xbc | data | English | United States |
RT_STRING | 0x70ef8 | 0xd6 | data | English | United States |
RT_GROUP_ICON | 0x6ec30 | 0x68 | data | English | United States |
RT_MANIFEST | 0x6f810 | 0x753 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer |
gdiplus.dll | GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 14, 2022 19:15:28.995527983 CET | 49780 | 80 | 192.168.2.4 | 47.254.235.229 |
Jan 14, 2022 19:15:29.257647991 CET | 80 | 49780 | 47.254.235.229 | 192.168.2.4 |
Jan 14, 2022 19:15:29.259288073 CET | 49780 | 80 | 192.168.2.4 | 47.254.235.229 |
Jan 14, 2022 19:15:29.795423985 CET | 49780 | 80 | 192.168.2.4 | 47.254.235.229 |
Jan 14, 2022 19:15:30.061341047 CET | 80 | 49780 | 47.254.235.229 | 192.168.2.4 |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49780 | 47.254.235.229 | 80 | C:\Users\user\Pictures\Camera Roll\lsass.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 14, 2022 19:15:29.795423985 CET | 1519 | OUT |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 19:14:34 |
Start date: | 14/01/2022 |
Path: | C:\Users\user\Desktop\9bdcc933d0c04da1fa41ba915c460d9fa573e4bc5814b.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1000000 |
File size: | 1322142 bytes |
MD5 hash: | A4D367F98A1FA3E594AF0875379BDA39 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 19:14:36 |
Start date: | 14/01/2022 |
Path: | C:\Windows\SysWOW64\wscript.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10000 |
File size: | 147456 bytes |
MD5 hash: | 7075DD7B9BE8807FCA93ACD86F724884 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:14:43 |
Start date: | 14/01/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x11d0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:14:44 |
Start date: | 14/01/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff724c50000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:14:44 |
Start date: | 14/01/2022 |
Path: | C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xda0000 |
File size: | 1005056 bytes |
MD5 hash: | 4E66AE5C311A1AADC1241790C112525F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
General |
---|
Start time: | 19:14:51 |
Start date: | 14/01/2022 |
Path: | C:\Windows\System32\schtasks.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e8c30000 |
File size: | 226816 bytes |
MD5 hash: | 838D346D1D28F00783B7A6C6BD03A0DA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:14:52 |
Start date: | 14/01/2022 |
Path: | C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x2b0000 |
File size: | 1005056 bytes |
MD5 hash: | 4E66AE5C311A1AADC1241790C112525F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
General |
---|
Start time: | 19:14:52 |
Start date: | 14/01/2022 |
Path: | C:\Windows\System32\schtasks.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e8c30000 |
File size: | 226816 bytes |
MD5 hash: | 838D346D1D28F00783B7A6C6BD03A0DA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:14:53 |
Start date: | 14/01/2022 |
Path: | C:\Windows\System32\schtasks.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e8c30000 |
File size: | 226816 bytes |
MD5 hash: | 838D346D1D28F00783B7A6C6BD03A0DA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 19:14:55 |
Start date: | 14/01/2022 |
Path: | C:\refhostperfdllCommon\refhostperfdllCommonsessionnetsvc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x980000 |
File size: | 1005056 bytes |
MD5 hash: | 4E66AE5C311A1AADC1241790C112525F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 19:14:55 |
Start date: | 14/01/2022 |
Path: | C:\Users\user\Pictures\Camera Roll\lsass.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7c0000 |
File size: | 1005056 bytes |
MD5 hash: | 4E66AE5C311A1AADC1241790C112525F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
General |
---|
Start time: | 19:15:05 |
Start date: | 14/01/2022 |
Path: | C:\Recovery\wjIuhVBtfHXnMCZlWDoj.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x30000 |
File size: | 1005056 bytes |
MD5 hash: | 4E66AE5C311A1AADC1241790C112525F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 19:15:21 |
Start date: | 14/01/2022 |
Path: | C:\Users\user\Pictures\Camera Roll\lsass.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xb00000 |
File size: | 1005056 bytes |
MD5 hash: | 4E66AE5C311A1AADC1241790C112525F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|