Windows
Analysis Report
XShSI2OXaC.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- XShSI2OXaC.exe (PID: 5820 cmdline:
C:\Users\u ser\Deskto p\XShSI2OX aC.exe MD5: B69C9170FFAB277E1BD13FDE891A5AE5)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Process Stats: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Key value queried: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File written: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Registry value created: | Jump to behavior |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Code function: |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | RDTSC instruction interceptor: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | API call chain: | ||
Source: | API call chain: |
Source: | Code function: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 1 Windows Service | 1 Access Token Manipulation | 1 Access Token Manipulation | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Windows Service | Rootkit | LSASS Memory | 3 File and Directory Discovery | Remote Desktop Protocol | 1 Clipboard Data | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 13 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
40% | ReversingLabs | Win32.Trojan.InjectorX | ||
8% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
4% | Metadefender | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 736966 |
Start date and time: | 2022-11-03 12:40:26 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 26s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | XShSI2OXaC.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal60.troj.evad.winEXE@1/6@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
Process: | C:\Users\user\Desktop\XShSI2OXaC.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 852 |
Entropy (8bit): | 2.8931668942154323 |
Encrypted: | false |
SSDEEP: | 12:8gl0gsXou41w/tz+7RafgKDuKiP/3NJkKAd4t2Y+xIBjK:8/f4eaRMgKxiX9HAv7aB |
MD5: | 4C35348ABAD84AE5B63C7EE3148E0F95 |
SHA1: | 6805EF5D68BFDFF71F2841255892BC1957AE40AA |
SHA-256: | 0D6C1CB8C1BB8471AA59E453AE72C69B894A85EB2CE3AE3EFAE789CC89D92ADF |
SHA-512: | 74CB2490211DC4163D2AEA5C550338806070CD90FA7A461A2DBFBBC96B49CB44E2F351BAFAD5D3B201263923A2E674209C6DEBD1C3C7F746DDBE694216EB8320 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\XShSI2OXaC.exe |
File Type: | |
Category: | modified |
Size (bytes): | 12288 |
Entropy (8bit): | 5.737504888129487 |
Encrypted: | false |
SSDEEP: | 192:BenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XB9IwL:B8+Qlt70Fj/lQRY/9VjjlL |
MD5: | 8CF2AC271D7679B1D68EEFC1AE0C5618 |
SHA1: | 7CC1CAAA747EE16DC894A600A4256F64FA65A9B8 |
SHA-256: | 6950991102462D84FDC0E3B0AE30C95AF8C192F77CE3D78E8D54E6B22F7C09BA |
SHA-512: | CE828FB9ECD7655CC4C974F78F209D3326BA71CED60171A45A437FC3FFF3BD0D69A0997ADACA29265C7B5419BDEA2B17F8CC8CEAE1B8CE6B22B7ED9120BB5AD3 |
Malicious: | false |
Antivirus: | |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Contentness\Filialbestyrerens\Talkability\Platybrachycephalous\Plugin_Status.ini
Download File
Process: | C:\Users\user\Desktop\XShSI2OXaC.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 102 |
Entropy (8bit): | 3.52328456258532 |
Encrypted: | false |
SSDEEP: | 3:Q++l3293myVfslYx5hev/LmRlfVRlVl:Q++lQWyVkixm3up |
MD5: | 4F9A42DF26A7D4555300076765236140 |
SHA1: | 1F97D929B2FEC9B8171BC8433F046753E66A10A9 |
SHA-256: | 35BFF73B98E198313A09FDC972F7E9F16014C7E96ACA96A094510D3F6462473C |
SHA-512: | 26C627C99A9F1BE9C311C3B185A258BC5FE2DF9DB3AB7657BB2582940C185252AB586F6F20A8086E530D4A946BD9DF495F0C43C4C9259225945E16AC61AF5C00 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Contentness\Filialbestyrerens\Talkability\Platybrachycephalous\vfslog.c
Download File
Process: | C:\Users\user\Desktop\XShSI2OXaC.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 22849 |
Entropy (8bit): | 5.11077967265171 |
Encrypted: | false |
SSDEEP: | 384:mF+fT69ihYf2GM4R07AZI5dNkWb5jaxZBqOVSSZREtMOPSXCm:mf6AZINJb5jaxDqRSZgk |
MD5: | 1C9F1050DD84B2B185741F28309D3B30 |
SHA1: | 740C9AAFF5D67D3254239B5509D613E4BE9B5B85 |
SHA-256: | 669D3FF0B8649789381CDBB589746248898AFB4EBC2053952E57EB9475F5064A |
SHA-512: | 4A568558B4EF9ED4CA579E8DFBB0FDFFFFE6A442AE11E1FF48E1DB93267469BF66BC3B10DA3397A30C362E4F4CE0A1367E6266D0A78BC61060C103BB4625A1CF |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Coronoid.Ano
Download File
Process: | C:\Users\user\Desktop\XShSI2OXaC.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 169398 |
Entropy (8bit): | 6.943066252449536 |
Encrypted: | false |
SSDEEP: | 1536:kYNzSfaJrHw2kpeuoo3koyTLZbsBnqxlkTfIYsZYR0JY6nue2HSPKb4aBSBXPVso:OaRSpXo/DLZe9rlsU0JDnUAKb4USV2M |
MD5: | 41A2DEFADC6A543205116432277F62D5 |
SHA1: | FEBF4BE1B62529495501EAECE3E4691342F021C7 |
SHA-256: | 13DC3B2288380DB05CF9DDFA1EEBB66DB7C01035D3B895242824BC7CE2E6DC55 |
SHA-512: | 3C548C50A93B730B903A1EBEB65DC73C07238E56F2EFBCFFA986B8A63C4628FA677A157A0C3AE52123B2FA21FEFBF2966EEB7E0646EB43A4EEC9A25D035D86CC |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Parfaits\Produktoversigts\Newcomers\Igennen\view-more-horizontal-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\XShSI2OXaC.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 136 |
Entropy (8bit): | 5.506031499655005 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBll8xn9gR5XfixtIS2kj7QJ/lsg1p:6v/lhPys6aorIStC2up |
MD5: | 1E05E353B63930E92518EC5136819E9E |
SHA1: | 82E22F6A10959DDF998F17799BC8257528DF9C8E |
SHA-256: | 8E686112200E526D3928BF2F717A00B2E6EC74826AB3DC3AB63F7B5D6F760348 |
SHA-512: | E2896BB1D9C1514C7F6E6A60F4E1614FEF8DCBE774AEE4FA977C7DE91BBF37DDE6D45ECA73730082182226B8D3F755A06528FF57C4294F7F1AAD50910FB7A39E |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.775192199206559 |
TrID: |
|
File name: | XShSI2OXaC.exe |
File size: | 192936 |
MD5: | b69c9170ffab277e1bd13fde891a5ae5 |
SHA1: | 8928e5d360edbecd1547cf61831d4f055bed92af |
SHA256: | a81489460818664146f756543f081b702bcb69244ebf8f6a240b02b2357c577c |
SHA512: | 0bf095bdc0bd8c0898952e83249930fd02f68415915681a11cfed7276f7949384ed8cea8ee2339dfd567ca298402768e86a6e795086629c642c11a9d932d0196 |
SSDEEP: | 3072:PSrFD0QAGq6muqIpb5Hp15W0Om6GHAPulczSd8/Zjx5lY8pV+DdhLeWxSbTEZfSu:7QA4WaniPVSd8xflY8Ygmjd |
TLSH: | 8214F1513AB0E507ED275A3118796F273FF1791A19918B0B6350BBAA7D23380866F31F |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........18..PV..PV..PV.*_...PV..PW.MPV.*_...PV..sf..PV..VP..PV.Rich.PV.........PE..L......].................f...*.......5............@ |
Icon Hash: | f4f0d0dc4cccdcd4 |
Entrypoint: | 0x40350d |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5DF6D4ED [Mon Dec 16 00:50:53 2019 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 24f4223e271413c25abad52fd456a9bc |
Signature Valid: | false |
Signature Issuer: | OU="Mesterlig Efterbehandlingen Buggy ", E=rykninger@Vasks.Ud, O=Professionalisere, L=Paris 14, S=\xcele-de-France, C=FR |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | C6482E31BD649A8F80BC03910D4D9041 |
Thumbprint SHA-1: | D014D5D190B882F8D11FE7402087EB970E60A7DB |
Thumbprint SHA-256: | 44451256F3DBCD4B695F950230470C038611B2648483EF95256B6744B7A32134 |
Serial: | 08753235BB3B561B |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+14h], ebx |
mov dword ptr [esp+10h], 0040A230h |
mov dword ptr [esp+1Ch], ebx |
call dword ptr [004080ACh] |
call dword ptr [004080A8h] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042A24Ch], eax |
je 00007F6E64BD9BC3h |
push ebx |
call 00007F6E64BDCE97h |
cmp eax, ebx |
je 00007F6E64BD9BB9h |
push 00000C00h |
call eax |
mov esi, 004082B0h |
push esi |
call 00007F6E64BDCE11h |
push esi |
call dword ptr [00408154h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], 00000000h |
jne 00007F6E64BD9B9Ch |
push 0000000Ah |
call 00007F6E64BDCE6Ah |
push 00000008h |
call 00007F6E64BDCE63h |
push 00000006h |
mov dword ptr [0042A244h], eax |
call 00007F6E64BDCE57h |
cmp eax, ebx |
je 00007F6E64BD9BC1h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007F6E64BD9BB9h |
or byte ptr [0042A24Fh], 00000040h |
push ebp |
call dword ptr [00408040h] |
push ebx |
call dword ptr [0040829Ch] |
mov dword ptr [0042A318h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebx |
push 004216E8h |
call dword ptr [00408184h] |
push 0040A384h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8504 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x65000 | 0x36e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x2d280 | 0x1f28 | .ndata |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2ac | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x647b | 0x6600 | False | 0.6578967524509803 | data | 6.426522741823245 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x1384 | 0x1400 | False | 0.45 | data | 5.136348990166042 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x20358 | 0x600 | False | 0.5032552083333334 | data | 4.005849468822358 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x2b000 | 0x3a000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x65000 | 0x36e0 | 0x3800 | False | 0.44998604910714285 | data | 5.471517583781187 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0x652b0 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States |
RT_ICON | 0x65618 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States |
RT_DIALOG | 0x67bc0 | 0x144 | data | English | United States |
RT_DIALOG | 0x67d08 | 0x13c | data | English | United States |
RT_DIALOG | 0x67e48 | 0x100 | data | English | United States |
RT_DIALOG | 0x67f48 | 0x11c | data | English | United States |
RT_DIALOG | 0x68068 | 0xc4 | data | English | United States |
RT_DIALOG | 0x68130 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x68190 | 0x14 | data | English | United States |
RT_VERSION | 0x681a8 | 0x1f4 | data | English | United States |
RT_MANIFEST | 0x683a0 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, MoveFileW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, lstrcmpW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, DeleteFileW, FindFirstFileW, FindNextFileW, FindClose, SetFilePointer, ReadFile, MulDiv, lstrlenA, WideCharToMultiByte, MultiByteToWideChar, WritePrivateProfileStringW, FreeLibrary, GetPrivateProfileStringW, GetModuleHandleW, LoadLibraryExW |
USER32.dll | GetWindowRect, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, ScreenToClient, EnableMenuItem, GetDlgItem, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, SystemParametersInfoW, EndDialog, RegisterClassW, DialogBoxParamW, CreateWindowExW, GetClassInfoW, DestroyWindow, CharNextW, ExitWindowsEx, SetWindowTextW, LoadImageW, SetTimer, ShowWindow, PostQuitMessage, wsprintfW, SetWindowLongW, FindWindowExW, IsWindow, CreatePopupMenu, AppendMenuW, GetSystemMetrics, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow |
GDI32.dll | SelectObject, SetTextColor, SetBkMode, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor |
SHELL32.dll | ShellExecuteExW, SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHGetFileInfoW, SHFileOperationW, SHBrowseForFolderW |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 12:41:19 |
Start date: | 03/11/2022 |
Path: | C:\Users\user\Desktop\XShSI2OXaC.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 192936 bytes |
MD5 hash: | B69C9170FFAB277E1BD13FDE891A5AE5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |