Windows Analysis Report
12.exe

Overview

General Information

Sample name: 12.exe
Analysis ID: 1544430
MD5: d4e6ee6762c4f87650cd3e591ff7f71a
SHA1: 91be75dc4311c405c0267df327330fdaf585ba9b
SHA256: b53a2e87ac17942649c2fc60f3247c898faf563d84f596344cfacd03350b031a
Tags: exemammnRansomwareuser-NoName
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 12.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 12.exe ReversingLabs: Detection: 52%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F32EE0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA, 0_2_00F32EE0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F334A0 CryptReleaseContext, 0_2_00F334A0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F335B0 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8, 0_2_00F335B0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F948A0 CryptReleaseContext, 0_2_00F948A0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F33040 CryptAcquireContextA,GetLastError,CryptReleaseContext, 0_2_00F33040
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F333D0 CryptReleaseContext, 0_2_00F333D0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F33410 CryptGenRandom,__CxxThrowException@8, 0_2_00F33410
Uses 32bit PE files
Source: 12.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 12.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: G:\Mammon\Release\Mammon.pdb source: 12.exe
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F08240 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,Concurrency::details::HardwareAffinity::operator!=,std::_Container_base12::~_Container_base12, 0_2_00F08240
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00EFC5B0 FindFirstFileW,operator!=,operator!=,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,std::_Container_base12::~_Container_base12, 0_2_00EFC5B0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00EFCE60 FindFirstFileW,operator!=,std::_Container_base12::~_Container_base12,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,Concurrency::details::HardwareAffinity::operator!=,std::_Container_base12::~_Container_base12, 0_2_00EFCE60
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F49A22 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 0_2_00F49A22
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00EF9C50 FindFirstFileW,std::_Container_base12::~_Container_base12,operator!=,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,std::_Container_base12::~_Container_base12, 0_2_00EF9C50
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F82D68 FindFirstFileExA, 0_2_00F82D68
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F07E90 GetLogicalDriveStringsW,GetDriveTypeW,std::_Container_base12::~_Container_base12, 0_2_00F07E90
Source: 12.exe String found in binary or memory: https://t.me/mamondec
Source: 12.exe String found in binary or memory: https://t.me/mamondec1-Com
Source: 12.exe, 00000000.00000002.3267018222.000000000079E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/mamondecDOq
Detected potential crypto function
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F346D0 0_2_00F346D0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F2E400 0_2_00F2E400
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F640FE 0_2_00F640FE
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F38525 0_2_00F38525
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F50630 0_2_00F50630
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F1C740 0_2_00F1C740
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F38C9F 0_2_00F38C9F
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F2D0A4 0_2_00F2D0A4
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F2D097 0_2_00F2D097
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F39026 0_2_00F39026
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F65170 0_2_00F65170
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F392B7 0_2_00F392B7
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F55317 0_2_00F55317
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F15450 0_2_00F15450
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F2D440 0_2_00F2D440
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F396F0 0_2_00F396F0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F15650 0_2_00F15650
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F817B9 0_2_00F817B9
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F158F0 0_2_00F158F0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F1D860 0_2_00F1D860
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F79C63 0_2_00F79C63
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F2DD89 0_2_00F2DD89
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F35EA0 0_2_00F35EA0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F2DFAD 0_2_00F2DFAD
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F3A080 0_2_00F3A080
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F661BF 0_2_00F661BF
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F46690 0_2_00F46690
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F2E85B 0_2_00F2E85B
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F46970 0_2_00F46970
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F72B60 0_2_00F72B60
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F36B50 0_2_00F36B50
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F3AC00 0_2_00F3AC00
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F46D00 0_2_00F46D00
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F4AD00 0_2_00F4AD00
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F52E31 0_2_00F52E31
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F6F041 0_2_00F6F041
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F471A0 0_2_00F471A0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F63560 0_2_00F63560
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F737B0 0_2_00F737B0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F638D2 0_2_00F638D2
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F379C0 0_2_00F379C0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F63B7C 0_2_00F63B7C
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F47B50 0_2_00F47B50
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F47DF0 0_2_00F47DF0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F63E43 0_2_00F63E43
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F4FE4A 0_2_00F4FE4A
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F87F44 0_2_00F87F44
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\12.exe Code function: String function: 00EE8040 appears 80 times
Source: C:\Users\user\Desktop\12.exe Code function: String function: 00F4B7C6 appears 88 times
Source: C:\Users\user\Desktop\12.exe Code function: String function: 00F4C8AD appears 84 times
Source: C:\Users\user\Desktop\12.exe Code function: String function: 00F4CBB0 appears 63 times
Uses 32bit PE files
Source: 12.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal56.winEXE@2/5@0/0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F49D99 GetDiskFreeSpaceExW,GetLastError,GetDiskFreeSpaceExW,GetLastError, 0_2_00F49D99
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
Source: 12.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\12.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 12.exe ReversingLabs: Detection: 52%
Source: unknown Process created: C:\Users\user\Desktop\12.exe "C:\Users\user\Desktop\12.exe"
Source: C:\Users\user\Desktop\12.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\12.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\12.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\12.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\12.exe Section loaded: rsaenh.dll Jump to behavior
Source: 12.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 12.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 12.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 12.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 12.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 12.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 12.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: 12.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: G:\Mammon\Release\Mammon.pdb source: 12.exe
Source: 12.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 12.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 12.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 12.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 12.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F5B6A5 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00F5B6A5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F4C887 push ecx; ret 0_2_00F4C89A
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F4CBF6 push ecx; ret 0_2_00F4CC09
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F4AD00 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00F4AD00
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\12.exe API coverage: 5.9 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\12.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F08240 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,Concurrency::details::HardwareAffinity::operator!=,std::_Container_base12::~_Container_base12, 0_2_00F08240
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00EFC5B0 FindFirstFileW,operator!=,operator!=,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,std::_Container_base12::~_Container_base12, 0_2_00EFC5B0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00EFCE60 FindFirstFileW,operator!=,std::_Container_base12::~_Container_base12,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,Concurrency::details::HardwareAffinity::operator!=,std::_Container_base12::~_Container_base12, 0_2_00EFCE60
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F49A22 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 0_2_00F49A22
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00EF9C50 FindFirstFileW,std::_Container_base12::~_Container_base12,operator!=,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,std::_Container_base12::~_Container_base12, 0_2_00EF9C50
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F82D68 FindFirstFileExA, 0_2_00F82D68
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F07E90 GetLogicalDriveStringsW,GetDriveTypeW,std::_Container_base12::~_Container_base12, 0_2_00F07E90
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F6C6AF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F6C6AF
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F5B6A5 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00F5B6A5
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F77781 mov eax, dword ptr fs:[00000030h] 0_2_00F77781
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F83CF0 GetProcessHeap, 0_2_00F83CF0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F6C6AF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F6C6AF
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F4C9F0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F4C9F0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F4CB52 SetUnhandledExceptionFilter, 0_2_00F4CB52
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F4CC0B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00F4CC0B
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F4C2FF cpuid 0_2_00F4C2FF
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\12.exe Code function: EnumSystemLocalesW, 0_2_00F7C906
Source: C:\Users\user\Desktop\12.exe Code function: GetLocaleInfoW, 0_2_00F7CDEF
Source: C:\Users\user\Desktop\12.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00F85932
Source: C:\Users\user\Desktop\12.exe Code function: EnumSystemLocalesW, 0_2_00F85BB9
Source: C:\Users\user\Desktop\12.exe Code function: EnumSystemLocalesW, 0_2_00F85C9F
Source: C:\Users\user\Desktop\12.exe Code function: EnumSystemLocalesW, 0_2_00F85C04
Source: C:\Users\user\Desktop\12.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00F85D30
Source: C:\Users\user\Desktop\12.exe Code function: GetLocaleInfoW, 0_2_00F85F80
Source: C:\Users\user\Desktop\12.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00F860A9
Source: C:\Users\user\Desktop\12.exe Code function: GetLocaleInfoW, 0_2_00F861B0
Source: C:\Users\user\Desktop\12.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00F8627D
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F7CE59 GetSystemTimeAsFileTime, 0_2_00F7CE59
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F8050E _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_00F8050E
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F52B6C GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8, 0_2_00F52B6C
Source: C:\Users\user\Desktop\12.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00EE15F0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_00EE15F0
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00EE1590 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_00EE1590
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F5D6B9 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 0_2_00F5D6B9
Source: C:\Users\user\Desktop\12.exe Code function: 0_2_00F5E3E0 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext, 0_2_00F5E3E0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544430 Sample: 12.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 56 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 6 12.exe 7 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos