Windows
Analysis Report
#U00d6DEME FORMU.exe
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- #U00d6DEME FORMU.exe (PID: 6304 cmdline:
"C:\Users\ user\Deskt op\#U00d6D EME FORMU. exe" MD5: 0204546CC8568A60D97947C5FD6CCD49) - erltu.exe (PID: 6336 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\erltu.e xe C:\User s\user\App Data\Local \Temp\fvcs hciph MD5: 2603B527A791BAA25AC589C33B254470) - erltu.exe (PID: 6356 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\erltu.e xe C:\User s\user\App Data\Local \Temp\fvcs hciph MD5: 2603B527A791BAA25AC589C33B254470)
- cleanup
{"C2 list": ["www.liuchenggang.com/b0y1/"], "decoy": ["newindexpress.com", "tg5szfdz.xyz", "aims1881.com", "bonaegroup.com", "be99caboi8.xyz", "weddingcentrepieces.com", "acigdmodel.com", "ketotax.info", "learnedware.com", "learning-rich-work.store", "multipreset.store", "flyttfirmaorebro.com", "58bilisim.xyz", "joseketofitdiet.site", "duomeishop.com", "programacaozerobarriga.site", "gygezau517.xyz", "awesometutorials.xyz", "hwvzfn3t.xyz", "nycexoticbullies.com", "smallbizmaker.com", "isarfeuer.com", "wacker-silicones.com", "tongtoto.com", "xofitessentials.com", "begep.space", "paperbackbookbox.com", "ihhsiljc.beauty", "jankarbaniye.com", "boli-12.xyz", "gridwriter.com", "377manhua.com", "willywaw98cop.com", "acumelet.com", "theupgradeexperiencemedia.com", "pimientamultimedia.com", "phoenixgold.xyz", "plunderdseign.com", "erdberrehausgsd.net", "aboutsprouts.com", "castle-clash.com", "nwcabin.com", "kurtizanki-spb.com", "yqphx.xyz", "casinowithout.com", "jctcopera.com", "antalyaluxuryvilla.xyz", "sagedidthis.com", "144z.xyz", "iska4peps.life", "rightthewrong.biz", "zib0bsivacf8.xyz", "beijingzhongruanchuangheng.site", "jylfxx.net", "newsletterexperience.com", "rnrprowash.com", "bylunakdy.com", "upasev.online", "businessreputationmanager.com", "kidsacooking.com", "brangusprimebeef.com", "nickhaven.com", "o1apopdpzhah.xyz", "negociodigital.store"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Click to see the 1 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | URLs: |
Source: | Binary or memory string: |
Source: | Code function: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | Evasive API call chain: |
Source: | Evasive API call chain: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | API call chain: | ||
Source: | API call chain: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 12 Native API | Path Interception | 11 Process Injection | 11 Process Injection | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 13 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Software Packing | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 13 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
52% | Virustotal | Browse | ||
37% | ReversingLabs | Win32.Trojan.FormBook |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
48% | Virustotal | Browse | ||
44% | ReversingLabs | Win32.Trojan.FormBook |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.ZPACK.Gen | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse | ||
100% | Avira URL Cloud | malware |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| low |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 635282 |
Start date and time: 27/05/202218:22:58 | 2022-05-27 18:22:58 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 34s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | #U00d6DEME FORMU.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 26 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal96.troj.evad.winEXE@5/4@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
- Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
- Not all processes where analyzed, report is missing behavior information
Process: | C:\Users\user\Desktop\#U00d6DEME FORMU.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 134144 |
Entropy (8bit): | 6.41218091663839 |
Encrypted: | false |
SSDEEP: | 1536:dYTOG+x8+YaGDARvmJVBqNvnlajcCOO0LdXU8JiA1Oyrx9WTqIDEJ+ksaSIJnXSU:JfbnR6BqNvncvhw9WTfEcLa4iG5skW |
MD5: | 2603B527A791BAA25AC589C33B254470 |
SHA1: | 65EBDA93314517E098138BD9670ECCB345C7F662 |
SHA-256: | 1AD07E46E78EB5A2AFC723FC2A8DF86D7B731A3CA853E4225622226EFC786F8F |
SHA-512: | E5B3A208581A1B46382CC9D91D5C4FD3EE36DE741E57A1DB407F3A0B0602CC6678C7DBDCEB8DEE02614E1340FC7876DCD5088AB65DC74910A429CF21DAC6B579 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\#U00d6DEME FORMU.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 5310 |
Entropy (8bit): | 6.093682530663886 |
Encrypted: | false |
SSDEEP: | 96:Wr9SaelkbOMBZUKzrCJEjZUFdPTzZoXeIPyHbODrnV/G8XhiOOAT/jOsu1p4w/k/:K9Sa3OEsoUXTzqbPRJSB1BRV0BDnR |
MD5: | 4E6A59FE3DCD5B83B64609193D85528E |
SHA1: | 1E0F857CD72F2984A09E821DCEA318CD2863B217 |
SHA-256: | 7C5E9EC5245DE0AF358577C4E78B2F24B3810E626E2F29B178B638B04FB86860 |
SHA-512: | DFDE155F973F2B13174B6FB9A2238677D79F49BBE9BACFF6A0046BA79B8BE23A861E56C8F14F4587FA52DCC81CA38FAC142C287D19E3AB4B4FD46155D14C3AB2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\#U00d6DEME FORMU.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 189951 |
Entropy (8bit): | 7.990465363694904 |
Encrypted: | true |
SSDEEP: | 3072:idfJQ4gfu2P+FGvM99Z1MG/ZtaEwV74jIFaRVIm53ZvUs1tFbdKKabXj2:idRku2SG4vlZtaqI8RWm53RUivBYXK |
MD5: | D922F036AA538A949728682FE98BF835 |
SHA1: | A850EDF8BFA9EC5694F512062DAFB58929215DEE |
SHA-256: | 5B6B55B1FA6DEC84C11C4127725ED66FB32394D8C09BE7C3771B43E12C6BFBC3 |
SHA-512: | 14C2188E46699A4268A157E2B8D1C40EFFC8B915916E479CE5C04900A1DBBB8E995561E63A5AEF162F986165EBD1CA7CF5A975488046A524C2498282DECB0A6B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\#U00d6DEME FORMU.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 335245 |
Entropy (8bit): | 7.531798748691562 |
Encrypted: | false |
SSDEEP: | 6144:HJPdRku2SG4vlZtaqI8RWm53RUivBYXpZpvncWMElGC:8WNSqHRWm53RdZYXp/cWMEl |
MD5: | 9D1B5193868454C6C8B9F0FEA6AA7C8E |
SHA1: | 02818918499AF004548E0C1F641AE9965F27AD13 |
SHA-256: | BFFEBF62D8473D23F0BA2001738071F94D53532D97D8D3A9B35CA272A8FBDFA5 |
SHA-512: | 562776614426BC11294FC7DD8599AEE68FE14ACCA1F8DE671F3A33299A2225EE2735AA2BE3C569BC3EAB3733F4C34FB80187FCD4361DE844E41FABED250A58B5 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.940379937299889 |
TrID: |
|
File name: | #U00d6DEME FORMU.exe |
File size: | 278482 |
MD5: | 0204546cc8568a60d97947c5fd6ccd49 |
SHA1: | ff7c492dd728279cd763af6fa525606431fc8db0 |
SHA256: | eddc1ee1fafda4fe7cf6d114276c992806f33d7527d346464bad7033875fbd66 |
SHA512: | 24fb62695c5455d362fbc157446a2cb2a7ae248268c0786cbd91a79a40fa32baa4f984cbbb45a6dd9f678f26cde7b6a7eb31cf1146f0fbaf17f060b58fa5d077 |
SSDEEP: | 6144:B0YuB3ZgxdaCVG/RF5JUVu0dXet0ojX1nQcznQ:eB3AdaC8/RFYTQ0QDQ |
TLSH: | FB441247B7F054F7D1729E3215A3E699F232A34619A191C71FB0AEB9B03E9C1048B74B |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qJ...$...$...$./.{...$...%.;.$.".y...$..3....$.f."...$.Rich..$.........................PE..L.....iF.................Z......... |
Icon Hash: | b2a88c96b2ca6a72 |
Entrypoint: | 0x4032fa |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x4669CEB6 [Fri Jun 8 21:48:38 2007 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 55f3dfd13c0557d3e32bcbc604441dd3 |
Instruction |
---|
sub esp, 00000180h |
push ebx |
push ebp |
push esi |
xor ebx, ebx |
push edi |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 00409170h |
xor esi, esi |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [00407030h] |
push ebx |
call dword ptr [00407278h] |
mov dword ptr [00423FD4h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 00000160h |
push eax |
push ebx |
push 0041F4E8h |
call dword ptr [00407154h] |
push 0040922Ch |
push 00423720h |
call 00007F2BD1003B38h |
call dword ptr [004070B4h] |
mov edi, 00429000h |
push eax |
push edi |
call 00007F2BD1003B26h |
push ebx |
call dword ptr [00407108h] |
cmp byte ptr [00429000h], 00000022h |
mov dword ptr [00423F20h], eax |
mov eax, edi |
jne 00007F2BD100139Ch |
mov byte ptr [esp+14h], 00000022h |
mov eax, 00429001h |
push dword ptr [esp+14h] |
push eax |
call 00007F2BD1003619h |
push eax |
call dword ptr [00407218h] |
mov dword ptr [esp+1Ch], eax |
jmp 00007F2BD10013F5h |
cmp cl, 00000020h |
jne 00007F2BD1001398h |
inc eax |
cmp byte ptr [eax], 00000020h |
je 00007F2BD100138Ch |
cmp byte ptr [eax], 00000022h |
mov byte ptr [esp+14h], 00000020h |
jne 00007F2BD1001398h |
inc eax |
mov byte ptr [esp+14h], 00000022h |
cmp byte ptr [eax], 0000002Fh |
jne 00007F2BD10013C5h |
inc eax |
cmp byte ptr [eax], 00000053h |
jne 00007F2BD10013A0h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x73a0 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2c000 | 0x900 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x288 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x59ac | 0x5a00 | False | 0.668142361111 | data | 6.45807821776 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x117a | 0x1200 | False | 0.4453125 | data | 5.17513527374 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x1afd8 | 0x400 | False | 0.6015625 | data | 4.98110806401 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.ndata | 0x24000 | 0x8000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x2c000 | 0x900 | 0xa00 | False | 0.409375 | data | 3.94448786242 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x2c190 | 0x2e8 | data | English | United States |
RT_DIALOG | 0x2c478 | 0x100 | data | English | United States |
RT_DIALOG | 0x2c578 | 0x11c | data | English | United States |
RT_DIALOG | 0x2c698 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x2c6f8 | 0x14 | data | English | United States |
RT_MANIFEST | 0x2c710 | 0x1eb | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, CreateFileA, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, CloseHandle, ExitProcess, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA |
USER32.dll | EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow |
GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject |
SHELL32.dll | SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation |
ADVAPI32.dll | RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA |
COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
VERSION.dll | GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Target ID: | 0 |
Start time: | 18:24:13 |
Start date: | 27/05/2022 |
Path: | C:\Users\user\Desktop\#U00d6DEME FORMU.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 278482 bytes |
MD5 hash: | 0204546CC8568A60D97947C5FD6CCD49 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 1 |
Start time: | 18:24:15 |
Start date: | 27/05/2022 |
Path: | C:\Users\user\AppData\Local\Temp\erltu.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1010000 |
File size: | 134144 bytes |
MD5 hash: | 2603B527A791BAA25AC589C33B254470 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Target ID: | 2 |
Start time: | 18:24:16 |
Start date: | 27/05/2022 |
Path: | C:\Users\user\AppData\Local\Temp\erltu.exe |
Wow64 process (32bit): | |
Commandline: | |
Imagebase: | |
File size: | 134144 bytes |
MD5 hash: | 2603B527A791BAA25AC589C33B254470 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |