Edit tour

Windows Analysis Report
TavernWorker.exe

Overview

General Information

Sample name:TavernWorker.exe
Analysis ID:1483025
MD5:4f6fccac4aebf9f5a9e46909d81d3fab
SHA1:e28b55e9cbbb9cba1f6cd8a08ffcd426e5d7331d
SHA256:e236ef1eebc1623fe23ec12b60df20bd36211a18a0e3279373eec6acfe530be7

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
PE file contains section with special chars
Entry point lies outside standard sections
PE file contains sections with non-standard names

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • TavernWorker.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\TavernWorker.exe" MD5: 4F6FCCAC4AEBF9F5A9E46909D81D3FAB)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: TavernWorker.exeStatic PE information: certificate valid
Source: TavernWorker.exe, 00000000.00000002.2129396246.00000001405D9000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://169.254.169.254
Source: TavernWorker.exe, 00000000.00000002.2129396246.00000001405D9000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://169.254.169.254ipv4ipv6http://
Source: TavernWorker.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: TavernWorker.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: TavernWorker.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: TavernWorker.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: TavernWorker.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TavernWorker.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: TavernWorker.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: TavernWorker.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: TavernWorker.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: TavernWorker.exe, 00000000.00000002.2129396246.00000001405D9000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://freeimage.sourceforge.net
Source: TavernWorker.exeString found in binary or memory: http://ocsp.digicert.com0
Source: TavernWorker.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: TavernWorker.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: TavernWorker.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: TavernWorker.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: TavernWorker.exe, 00000000.00000002.2129396246.00000001405D9000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/basic-use.html

System Summary

barindex
Source: TavernWorker.exeStatic PE information: section name: . dB/
Source: TavernWorker.exeStatic PE information: section name: .v>'I
Source: TavernWorker.exeStatic PE information: section name: .q#9,
Source: classification engineClassification label: mal52.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\TavernWorker.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: vcomp140.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeSection loaded: uxtheme.dllJump to behavior
Source: TavernWorker.exeStatic PE information: certificate valid
Source: TavernWorker.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: TavernWorker.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: TavernWorker.exeStatic file information: File size 26065328 > 1048576
Source: TavernWorker.exeStatic PE information: Raw size of .q#9, is bigger than: 0x100000 < 0x18d0600
Source: initial sampleStatic PE information: section where entry point is pointing to: .q#9,
Source: TavernWorker.exeStatic PE information: section name: _RDATA
Source: TavernWorker.exeStatic PE information: section name: CPADinfo
Source: TavernWorker.exeStatic PE information: section name: . dB/
Source: TavernWorker.exeStatic PE information: section name: .v>'I
Source: TavernWorker.exeStatic PE information: section name: .q#9,
Source: C:\Users\user\Desktop\TavernWorker.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\TavernWorker.exeNtProtectVirtualMemory: Direct from: 0x141B4B2E8Jump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeNtProtectVirtualMemory: Direct from: 0x141B0464EJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeNtProtectVirtualMemory: Direct from: 0x141B497E5Jump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeNtProtectVirtualMemory: Direct from: 0x1417E0281Jump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeNtProtectVirtualMemory: Direct from: 0x141D7DB6DJump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeNtProtectVirtualMemory: Direct from: 0x141885887Jump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeNtProtectVirtualMemory: Direct from: 0x141890F45Jump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeNtProtectVirtualMemory: Direct from: 0x141890F56Jump to behavior
Source: C:\Users\user\Desktop\TavernWorker.exeNtProtectVirtualMemory: Direct from: 0x141D5822DJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Abuse Elevation Control Mechanism
1
Abuse Elevation Control Mechanism
OS Credential Dumping1
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
DLL Side-Loading
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483025 Sample: TavernWorker.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 52 8 PE file contains section with special chars 2->8 10 AI detected suspicious sample 2->10 5 TavernWorker.exe 2 2->5         started        process3 signatures4 12 Found direct / indirect Syscall (likely to bypass EDR) 5->12

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
TavernWorker.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://169.254.169.254ipv4ipv6http://0%Avira URL Cloudsafe
https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/basic-use.html0%Avira URL Cloudsafe
http://freeimage.sourceforge.net0%Avira URL Cloudsafe
http://169.254.169.2540%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://freeimage.sourceforge.netTavernWorker.exe, 00000000.00000002.2129396246.00000001405D9000.00000002.00000001.01000000.00000003.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://169.254.169.254ipv4ipv6http://TavernWorker.exe, 00000000.00000002.2129396246.00000001405D9000.00000002.00000001.01000000.00000003.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://169.254.169.254TavernWorker.exe, 00000000.00000002.2129396246.00000001405D9000.00000002.00000001.01000000.00000003.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/basic-use.htmlTavernWorker.exe, 00000000.00000002.2129396246.00000001405D9000.00000002.00000001.01000000.00000003.sdmpfalse
  • Avira URL Cloud: safe
unknown
No contacted IP infos
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1483025
Start date and time:2024-07-26 14:19:58 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 18s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:TavernWorker.exe
Detection:MAL
Classification:mal52.evad.winEXE@1/1@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com
  • VT rate limit hit for: TavernWorker.exe
No simulations
No context
No context
No context
No context
No context
Process:C:\Users\user\Desktop\TavernWorker.exe
File Type:data
Category:dropped
Size (bytes):648
Entropy (8bit):7.435306483065724
Encrypted:false
SSDEEP:12:Bpk3oPhkt0q+Wpk3oPhkt0l2+iHfOUFpk3oPhkt0YkPfU6EYA/j37:BpaRtB+WpaRtNJPpaRtpkPfUrPj37
MD5:95B1B017EF40626A7349E7F2EB0D266E
SHA1:A5B4AA03320EF4B06D52B03629A4BA3DFE9C6D33
SHA-256:A583389268DD2697E4E89E098D331173D29B9DB632F14BA98D53B3FEFEBFD1FA
SHA-512:6E354D7857B3A87E1805FBC73AC8B2C060031563587B1DED9DE2CDAEFFD5E973EB3EE2525B378349113593769E7DBCACB154057634E38285ADAE75C8C24AC46A
Malicious:false
Reputation:low
Preview:.M.w;.d..1.?...5e...[.`.;.N<P.Z.d......4....* .q....O.}....]......C.P...&.,Y...M.w.I..i.=i.U.DQsm@.K*..6..P@...B..^hQ..._.>.vY._........(....,..M.w;.d..1.?...5e...[.`.;.N<P.Z.d......4....* .q....O.}....]......C.P...&.,Y...M.w.I..i.=i.U.DQsm@..Pco..E...-.H....3.......mg...\Z.?.....T.0..6/o.%u$.....uI........{l,V.?.O. ..[..\.....h..x.97.).k.o.#L..w`b...........IY.....F.*.M#I.#....M.w;.d..1.?...5e...[.`.;.N<P.Z.d......4....* .q....O.}....]......C.P...&.,Y...M.w.I..i.=i.U.DQsm@....4..W>.~.H.v....q,..k.>."s.I...G.Q.E-o[.(..76.sW..[w.uy?uX.rGC.fz.|....[..sF..i......w.MZ.C.aK.9T.....Gu.M).c...L...A..3......~e.|n.H..
File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):7.79430846166827
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:TavernWorker.exe
File size:26'065'328 bytes
MD5:4f6fccac4aebf9f5a9e46909d81d3fab
SHA1:e28b55e9cbbb9cba1f6cd8a08ffcd426e5d7331d
SHA256:e236ef1eebc1623fe23ec12b60df20bd36211a18a0e3279373eec6acfe530be7
SHA512:d132efa063f0b41c9a59f78540ae167053f16d724974b1a57f1d778a2bd12809b43c483ee8eafc33d43a3dbadee1104909afa3e165fcb6603e5b29f94a899fde
SSDEEP:393216:rZOhaWe6nHXCVetIm7os+0zV15v/9Eg5usqV3qNcTak8i:rWaWe0CMtImksvD5XcHgNcX8i
TLSH:9E47238A66E9F2D8C7C214B4364645D630C4A8AE90FE49343ECB5C03B634D6F559EEF2
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...d".f..........#.......]...D.......}........@.............................@......>..... ................................
Icon Hash:1731d0d4e8313317
Entrypoint:0x1417dead8
Entrypoint Section:.q#9,
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x66A22264 [Thu Jul 25 10:01:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:5c680ccbcf1f2b39a51841f631a253a6
Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 24/04/2023 02:00:00 26/04/2026 01:59:59
Subject Chain
  • CN="IRONMACE Co., Ltd.", O="IRONMACE Co., Ltd.", L=Seongnam-si, S=Gyeonggi-do, C=KR, SERIALNUMBER=131111-0648617, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Seongnam-si, OID.1.3.6.1.4.1.311.60.2.1.2=Gyeonggi-do, OID.1.3.6.1.4.1.311.60.2.1.3=KR
Version:3
Thumbprint MD5:1447BEC63833F8FDFD6DA1C68E6EBD71
Thumbprint SHA-1:F75A97056BE27687A9566D8990E0195DEEBAED26
Thumbprint SHA-256:F8271ABF570275983924AAE705493F0C230515048AED3B990668710133C40E5F
Serial:0B2ABADED1E199A4C9696D4013C51CBB
Instruction
call 00007F5048E0419Fh
je 00007F5048D6E353h
sub dh, byte ptr [edx-1Dh]
cmp byte ptr [edi-75h], dh
pop esi
retn F347h
scasb
popfd
jnp 00007F5048D6E2DEh
mov bp, ds
mov edi, C1142F0Ch
inc ecx
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x27687f00x17c.q#9,
IMAGE_DIRECTORY_ENTRY_RESOURCE0x30ad0000x6f65.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x30732f00x39300.q#9,
IMAGE_DIRECTORY_ENTRY_SECURITY0x18d90000x29b0.q#9,
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x17e34a00x28.q#9,
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x30731b00x138.q#9,
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x17da0000x120.v>'I
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x5d7e580x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x5d90000x24752c0x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x8210000x1c20c80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x9e40000x38d180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA0xa1d0000xf40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
CPADinfo0xa1e0000x380x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
. dB/0xa1f0000xdba9b20x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.v>'I0x17da0000x15380x160061c0b4e86b8ffb519ef5e50e7c75126cFalse0.02361505681818182data0.15607580838853874IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.q#9,0x17dc0000x18d05f00x18d06007d468632aeb8ab6fa07d854523c07fd1unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0x30ad0000x6f650x7000caa7738631c2839e4b73fbd78b293f2fFalse0.51220703125data5.435679114946002IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x30ad1f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024KoreanNorth Korea0.41400709219858156
RT_ICON0x30ad1f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024KoreanSouth Korea0.41400709219858156
RT_ICON0x30ad6580x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304KoreanNorth Korea0.34508196721311474
RT_ICON0x30ad6580x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304KoreanSouth Korea0.34508196721311474
RT_ICON0x30adfe00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096KoreanNorth Korea0.2875234521575985
RT_ICON0x30adfe00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096KoreanSouth Korea0.2875234521575985
RT_ICON0x30af0880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216KoreanNorth Korea0.2103734439834025
RT_ICON0x30af0880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216KoreanSouth Korea0.2103734439834025
RT_ICON0x30b16300x242cPNG image data, 256 x 256, 8-bit gray+alpha, non-interlacedKoreanNorth Korea0.9951403887688985
RT_ICON0x30b16300x242cPNG image data, 256 x 256, 8-bit gray+alpha, non-interlacedKoreanSouth Korea0.9951403887688985
RT_GROUP_ICON0x30b3a600x4cdataKoreanNorth Korea0.7763157894736842
RT_GROUP_ICON0x30b3a600x4cdataKoreanSouth Korea0.7763157894736842
RT_VERSION0x30b3ab00x334dataKoreanNorth Korea0.43414634146341463
RT_VERSION0x30b3ab00x334dataKoreanSouth Korea0.43414634146341463
RT_MANIFEST0x30b3de80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
DLLImport
KERNEL32.dllGetVersion
USER32.dllGetSystemMetrics
ADVAPI32.dllOpenProcessToken
SHELL32.dllSHCreateDirectoryExW
ole32.dllCoSetProxyBlanket
OLEAUT32.dllSysFreeString
VERSION.dllGetFileVersionInfoA
Secur32.dllFreeContextBuffer
d3d11.dllD3D11CreateDevice
WININET.dllInternetOpenUrlW
VCOMP140.DLL_vcomp_for_dynamic_next
WS2_32.dllWSAStartup
bcrypt.dllBCryptGetProperty
USERENV.dllGetUserProfileDirectoryW
dbghelp.dllSymInitialize
WINHTTP.dllWinHttpOpenRequest
CRYPT32.dllCertFreeCertificateChainEngine
ncrypt.dllNCryptImportKey
Language of compilation systemCountry where language is spokenMap
KoreanNorth Korea
KoreanSouth Korea
EnglishUnited States
No network behavior found
0510s020406080100

Click to jump to process

0510s0.002040MB

Click to jump to process

Target ID:0
Start time:08:20:48
Start date:26/07/2024
Path:C:\Users\user\Desktop\TavernWorker.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\TavernWorker.exe"
Imagebase:0x140000000
File size:26'065'328 bytes
MD5 hash:4F6FCCAC4AEBF9F5A9E46909D81D3FAB
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

No disassembly