Windows
Analysis Report
D009780.exe
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- D009780.exe (PID: 3772 cmdline:
C:\Users\u ser\Deskto p\D009780. exe MD5: 649E0964D04AC89667C1F59FE99C7799)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | String found in binary or memory: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process Stats: |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Key value queried: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Registry value created: | Jump to behavior |
Source: | Static PE information: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | RDTSC instruction interceptor: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | API call chain: | ||
Source: | API call chain: |
Source: | Code function: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 1 Windows Service | 1 Access Token Manipulation | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | 1 Registry Run Keys / Startup Folder | 1 Windows Service | 1 Access Token Manipulation | LSASS Memory | 2 File and Directory Discovery | Remote Desktop Protocol | 1 Clipboard Data | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 Registry Run Keys / Startup Folder | 1 Obfuscated Files or Information | Security Account Manager | 13 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
22% | ReversingLabs | Win32.Trojan.Guloader |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 755926 |
Start date and time: | 2022-11-29 10:24:07 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 29s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | D009780.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal52.evad.winEXE@1/6@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 93.184.221.240
- Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtSetInformationFile calls found.
- VT rate limit hit for: D009780.exe
Process: | C:\Users\user\Desktop\D009780.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.659384359264642 |
Encrypted: | false |
SSDEEP: | 192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz |
MD5: | 8B3830B9DBF87F84DDD3B26645FED3A0 |
SHA1: | 223BEF1F19E644A610A0877D01EADC9E28299509 |
SHA-256: | F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37 |
SHA-512: | D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03 |
Malicious: | false |
Antivirus: |
|
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Anhydridizes.Imi121
Download File
Process: | C:\Users\user\Desktop\D009780.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 166213 |
Entropy (8bit): | 6.7188897468610635 |
Encrypted: | false |
SSDEEP: | 1536:yyKNH91XkciA5V8SsuXEkWtJbVKrUp+3Rdtt03z2pXy5gMRKhKcfhby09qVLDerk:8rXEA5V2mPa+XVHpXE3RKLwLcppDa |
MD5: | 8F8B455423728EC3F56CC534165292C8 |
SHA1: | B7BC0FBD5826D73287D66560C7D0DA6738B5AFD8 |
SHA-256: | 38583A88A0AD9F6B776B25BEFF612F21A8AD8289F1FC5E75AD0D411BF5FED52F |
SHA-512: | 0906AFFD2078F6DB365EBFCB89EB052F9C343976B851ACCB9FA91299414F33632F8F52A59C9E1BAC49D83A34335302E747285DB5AA34C133FB51F444FA5BB529 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\Psammologist.Pan
Download File
Process: | C:\Users\user\Desktop\D009780.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 41040 |
Entropy (8bit): | 7.995359137976442 |
Encrypted: | true |
SSDEEP: | 768:wNhagjlZc4ExPMbCVVsT62u53N+qUy22/aJKHBO2jj5dJQ:LeZcpeEVsTp03Nu2CJK5jj5dy |
MD5: | 14E3BC546122A6AABCBAA4FD77EB0DF9 |
SHA1: | 6D6F937F85083A6B7D3CD784FD7FD2F9D602B8A0 |
SHA-256: | E3DBEFBAE9D754C328269CF29CDDC926ECE497029B763FCC322B431AE03D940D |
SHA-512: | 8BD0F74C31573CEF3B68B8CCD575822C22197D880CA331F884669316C17047DB3AE49BD79DCFC4EC21257399EA7E238226956BF681130D5263BC5BDFFB84D284 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\libxml2-2.0.typelib
Download File
Process: | C:\Users\user\Desktop\D009780.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1245 |
Entropy (8bit): | 5.462849750105637 |
Encrypted: | false |
SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\memstat.c
Download File
Process: | C:\Users\user\Desktop\D009780.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 13484 |
Entropy (8bit): | 5.15716859322729 |
Encrypted: | false |
SSDEEP: | 192:B3tdgdRmAMgyWkSctse3XX6ZjuguOixHRYqx0NzZW+08e:B3tuPdjJ0TCzZWv |
MD5: | BD46EB22C1A1B4EA40373E8F57BFF4E3 |
SHA1: | CC2943E660BBB1697B7561F2776A7BCE2F36718A |
SHA-256: | 8361836BCB172722E5F2EE90AF31834B9B08B828A90E80E0BB930C336001B4CE |
SHA-512: | 5994643BCDFDF59B7EBF8FE36BC30CF0A454966FA95741D80AC81E9C42126A66ACDD782F6D7852A35CAE171FCC0DE1218EC1CD951829F7EC1C72B35EE7487D74 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Staveren\Kolkhozy\Fatalists\Cassythaceae\selection-end-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\D009780.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 138 |
Entropy (8bit): | 5.559646592748364 |
Encrypted: | false |
SSDEEP: | 3:yionv//thPl9vt3lAnsrtxBllO9p2hkq8PQ1/kbcw1w9lDk7kup:6v/lhPys8pQt8PQ2cw1IlDXup |
MD5: | 9863709F8F136F0F38A5D9CF2740143A |
SHA1: | 0EC6AA74A3FED4719B1B8D2E8468239489D84427 |
SHA-256: | 2C86B3EDF2A397608FE0C12A634F175DE1E3C4E5C4610B8457578B549069A7B0 |
SHA-512: | B1D8DC9CAFF35264E117201C0DB2112F4C07BAB9235188D32F90B9D00DC2E7AC27ECC1FC9753C5F50949C95D91EEA0C5F318D6D1C8D7587CA0A68AD2CC1C4EB5 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 7.727040003614326 |
TrID: |
|
File name: | D009780.exe |
File size: | 296621 |
MD5: | 649e0964d04ac89667c1f59fe99c7799 |
SHA1: | 5debabb563c0c457670b925c4c8f4830484a0067 |
SHA256: | 2b5120f2d732c6b78ddac5ac679cbbf279d96108d50cc02e569be1e07813b604 |
SHA512: | 5fb49e4d8199e28f018f21d7d5eff3eafeade9c4f72c2bf5dabb6476c84a7945a5f67681de6df40a95a47412dc89586497bd4a7cb0ad2934d962db8b376d80ea |
SSDEEP: | 6144:nQ606xDpoDTOfHQerv77Um8RHZ9USC/U3zP9wnZwC2djTTv/o:FpoPOfQqvHUmIkS53zPunZwd7Ho |
TLSH: | 1854122063A0C433D6AA0A30DD1386F79FB59C69EE096F87D3507E9C7C72246D52E35A |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...6.uY.................f......... |
Icon Hash: | c60ccd1616164e46 |
Entrypoint: | 0x403373 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x59759536 [Mon Jul 24 06:35:34 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | b34f154ec913d2d2c435cbd644e91687 |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+14h], ebx |
mov dword ptr [esp+10h], 0040A2E0h |
mov dword ptr [esp+1Ch], ebx |
call dword ptr [004080A8h] |
call dword ptr [004080A4h] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [00434EECh], eax |
je 00007FC9C0A66683h |
push ebx |
call 00007FC9C0A69919h |
cmp eax, ebx |
je 00007FC9C0A66679h |
push 00000C00h |
call eax |
mov esi, 004082B0h |
push esi |
call 00007FC9C0A69893h |
push esi |
call dword ptr [00408150h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], 00000000h |
jne 00007FC9C0A6665Ch |
push 0000000Ah |
call 00007FC9C0A698ECh |
push 00000008h |
call 00007FC9C0A698E5h |
push 00000006h |
mov dword ptr [00434EE4h], eax |
call 00007FC9C0A698D9h |
cmp eax, ebx |
je 00007FC9C0A66681h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007FC9C0A66679h |
or byte ptr [00434EEFh], 00000040h |
push ebp |
call dword ptr [00408044h] |
push ebx |
call dword ptr [004082A0h] |
mov dword ptr [00434FB8h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebx |
push 0042B208h |
call dword ptr [00408188h] |
push 0040A2C8h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8608 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x76000 | 0x16898 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x65ef | 0x6600 | False | 0.6750919117647058 | data | 6.514810500836391 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x149a | 0x1600 | False | 0.43803267045454547 | data | 5.007075185851696 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x2aff8 | 0x600 | False | 0.5162760416666666 | data | 4.036693470004838 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x35000 | 0x41000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x76000 | 0x16898 | 0x16a00 | False | 0.7946089433701657 | data | 7.153289056271752 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0x76478 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States |
RT_ICON | 0x767e0 | 0x9d19 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
RT_ICON | 0x80500 | 0x4102 | PNG image data, 256 x 256, 8-bit colormap, non-interlaced | English | United States |
RT_ICON | 0x84608 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States |
RT_ICON | 0x86bb0 | 0x16e8 | PNG image data, 256 x 256, 4-bit colormap, non-interlaced | English | United States |
RT_ICON | 0x88298 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States |
RT_ICON | 0x89340 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304 | English | United States |
RT_ICON | 0x8a1e8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024 | English | United States |
RT_ICON | 0x8aa90 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States |
RT_ICON | 0x8b0f8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256 | English | United States |
RT_ICON | 0x8b660 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States |
RT_ICON | 0x8bac8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States |
RT_ICON | 0x8bdb0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States |
RT_DIALOG | 0x8bed8 | 0x144 | data | English | United States |
RT_DIALOG | 0x8c020 | 0x13c | data | English | United States |
RT_DIALOG | 0x8c160 | 0x100 | data | English | United States |
RT_DIALOG | 0x8c260 | 0x11c | data | English | United States |
RT_DIALOG | 0x8c380 | 0xc4 | data | English | United States |
RT_DIALOG | 0x8c448 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x8c4a8 | 0xae | data | English | United States |
RT_MANIFEST | 0x8c558 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 10:24:59 |
Start date: | 29/11/2022 |
Path: | C:\Users\user\Desktop\D009780.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 296621 bytes |
MD5 hash: | 649E0964D04AC89667C1F59FE99C7799 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |