Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DSCI5829.jpg

Overview

General Information

Sample name:DSCI5829.jpg
Analysis ID:1550128
MD5:f2c802391424a17c6e551ef2ad55755c
SHA1:50cee3537b5ffa4c3833b9c205c9271709ba15e2
SHA256:8281f5ee17bab447462e9254c7e302ee901cec30b38f24e88d81a54eca326f94
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Monitors registry run keys for changes
Writes to foreign memory regions
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files

Classification

  • System is w10x64_ra
  • DSCI5829.exe (PID: 6256 cmdline: "C:\Users\user\Desktop\DSCI5829.exe" MD5: F2C802391424A17C6E551EF2AD55755C)
    • services585.exe (PID: 6280 cmdline: -n MD5: F2C802391424A17C6E551EF2AD55755C)
      • OfficeClickToRun.exe (PID: 2852 cmdline: "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service MD5: 75F42872C0302D36A1E3BB5C7928FC02)
      • PhoneExperienceHost.exe (PID: 5968 cmdline: "C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe" -ComServer:Background -Embedding MD5: 9FE132D5D4D3C555DE122793417BC97E)
      • WinStore.App.exe (PID: 5964 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca MD5: 6C44453CD661FC2DB18E4C09C4940399)
      • WmiPrvSE.exe (PID: 2680 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
  • cleanup
No yara matches
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Microsoft\services585.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\DSCI5829.exe, ProcessId: 6256, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Microsoft\services585.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\DSCI5829.exe, ProcessId: 6256, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeAvira: detection malicious, Label: WORM/Agent.fgqfw
Source: DSCI5829.jpgReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeJoe Sandbox ML: detected
Source: DSCI5829.jpgStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: global trafficUDP traffic: 192.168.2.17:65464 -> 173.195.9.145:5558
Source: global trafficTCP traffic: 192.168.2.17:49680 -> 20.189.173.13:443
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownUDP traffic detected without corresponding DNS query: 173.195.9.145
Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
Source: DSCI5829.jpgStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal80.evad.winJPG@3/2@0/24
Source: C:\Users\user\Desktop\DSCI5829.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\services585.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMutant created: \Sessions\1\BaseNamedObjects\ksfoinswkan8923w123
Source: DSCI5829.jpgStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeFile read: C:\Users\desktop.ini
Source: C:\Users\user\Desktop\DSCI5829.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: DSCI5829.jpgReversingLabs: Detection: 95%
Source: unknownProcess created: C:\Users\user\Desktop\DSCI5829.exe "C:\Users\user\Desktop\DSCI5829.exe"
Source: C:\Users\user\Desktop\DSCI5829.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\services585.exe -n
Source: C:\Users\user\Desktop\DSCI5829.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\services585.exe -n
Source: C:\Users\user\Desktop\DSCI5829.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\DSCI5829.exeSection loaded: urlmon.dll
Source: C:\Users\user\Desktop\DSCI5829.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\DSCI5829.exeSection loaded: iertutil.dll
Source: C:\Users\user\Desktop\DSCI5829.exeSection loaded: srvcli.dll
Source: C:\Users\user\Desktop\DSCI5829.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\DSCI5829.exeSection loaded: msasn1.dll
Source: C:\Users\user\Desktop\DSCI5829.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Desktop\DSCI5829.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\DSCI5829.exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\DSCI5829.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wininet.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: flightsettings.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: wosc.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: npmproxy.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: dusmapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: updatepolicy.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: cabinet.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: msasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: windows.system.profile.platformdiagnosticsandusagedatasettings.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: windows.system.userprofile.diagnosticssettings.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: windows.system.profile.systemid.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: clipc.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: dnsapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: dhcpcsvc.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: winnsi.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: winhttp.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: winmm.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: secur32.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: mswsock.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: wshunix.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: winrnr.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: rasadhlp.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: nlaapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: pnrpnsp.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: wshbth.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: devobj.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: napinsp.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: schannel.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: mskeyprotect.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: ntasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: ncrypt.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: ncryptsslp.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: rsaenh.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: cryptbase.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: gpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: cryptowinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: structuredquery.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: windows.storage.search.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: biwinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: windows.applicationmodel.background.timebroker.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeSection loaded: windows.applicationmodel.background.systemeventsbroker.dll
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41fd88f7-f295-4d39-91ac-a85f3149a05b}\InProcServer32
Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeKey opened: HKEY_USERS.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified
Source: C:\Users\user\Desktop\DSCI5829.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\services585.exeJump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\DSCI5829.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Users\user\Desktop\DSCI5829.exeRegistry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeRegistry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Source: C:\Users\user\Desktop\DSCI5829.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe Reader Speed Launcher
Source: C:\Users\user\Desktop\DSCI5829.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe Reader Speed Launcher
Source: C:\Users\user\Desktop\DSCI5829.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe Reader Speed Launcher
Source: C:\Users\user\Desktop\DSCI5829.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe Reader Speed Launcher
Source: C:\Users\user\Desktop\DSCI5829.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeWindow / User API: threadDelayed 8138
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exe TID: 6524Thread sleep count: 67 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exe TID: 6524Thread sleep time: -670000s >= -30000s
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe TID: 6428Thread sleep count: 89 > 30
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe TID: 6424Thread sleep count: 207 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exe TID: 6524Thread sleep count: 277 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exe TID: 6524Thread sleep time: -2770000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exe TID: 6508Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe TID: 5032Thread sleep count: 143 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exe TID: 6524Thread sleep count: 8138 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exe TID: 6524Thread sleep time: -81380000s >= -30000s
Source: C:\Users\user\Desktop\DSCI5829.exeFile opened: PhysicalDrive0
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeThread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeProcess information queried: ProcessInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 570000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe base: 4A0000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 70000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory allocated: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 4040000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeThread created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe EIP: 4043448
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 570000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 70000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 4040000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 570000
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 58EDB0
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory written: C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23082.131.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe base: 4BEDB0
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 70000
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 8EDB0
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 4040000
Source: C:\Users\user\AppData\Roaming\Microsoft\services585.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 405EDB0
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Registry Run Keys / Startup Folder
41
Process Injection
1
Masquerading
OS Credential Dumping1
Query Registry
Remote ServicesData from Local System2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
Registry Run Keys / Startup Folder
21
Virtualization/Sandbox Evasion
LSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
41
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS21
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
File and Directory Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
System Information Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
DSCI5829.jpg95%ReversingLabsWin32.Worm.Wergimog
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Microsoft\services585.exe100%AviraWORM/Agent.fgqfw
C:\Users\user\AppData\Roaming\Microsoft\services585.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
173.195.9.145
unknownUnited States
33438HIGHWINDS2USfalse
13.107.5.88
unknownUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
20.189.173.13
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1550128
Start date and time:2024-11-06 14:01:24 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:4
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:DSCI5829.jpg
Detection:MAL
Classification:mal80.evad.winJPG@3/2@0/24
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 13.107.5.88
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping network analysis since amount of network traffic is too extensive
  • Timeout during stream target processing, analysis might miss dynamic analysis data
  • VT rate limit hit for: DSCI5829.jpg
Process:C:\Users\user\Desktop\DSCI5829.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):58880
Entropy (8bit):6.497552667126019
Encrypted:false
SSDEEP:
MD5:F2C802391424A17C6E551EF2AD55755C
SHA1:50CEE3537B5FFA4C3833B9C205C9271709BA15E2
SHA-256:8281F5EE17BAB447462E9254C7E302EE901CEC30B38F24E88D81A54ECA326F94
SHA-512:76CF60AF677A47679BDCBCAAA34315C4E4E7FEEDEDF5D93FE0AFDE8B0B41387AE9311A8C2A2DC25146698455FB41C0B9E4A5DBCA4FBA0B260481931F29063FC8
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U..:..i..i..i...i..iH..i..i...i..i..i..i..i..i..i..i..i..i..i9.iRich..i........PE..L....8.M.....................X......H.............@.......................... ..............................................|...,...............................<.......................................................<............................text............................... ..`.rdata..............................@..@.data...d,..........................@....reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Users\user\Desktop\DSCI5829.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):26
Entropy (8bit):3.95006375643621
Encrypted:false
SSDEEP:
MD5:187F488E27DB4AF347237FE461A079AD
SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:true
Reputation:unknown
Preview:[ZoneTransfer]....ZoneId=0
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.497552667126019
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:DSCI5829.jpg
File size:58'880 bytes
MD5:f2c802391424a17c6e551ef2ad55755c
SHA1:50cee3537b5ffa4c3833b9c205c9271709ba15e2
SHA256:8281f5ee17bab447462e9254c7e302ee901cec30b38f24e88d81a54eca326f94
SHA512:76cf60af677a47679bdcbcaaa34315c4e4e7feededf5d93fe0afde8b0b41387ae9311a8c2a2dc25146698455fb41c0b9e4a5dbca4fba0b260481931f29063fc8
SSDEEP:768:QtexFt1hXC//d6TugJOFui8nH0as6EfRilpmTzSxhB0Pbyr871o2kyfFutrgc:QtexK/0ugJOEi8nH0aNEpil0nbFqHBb
TLSH:F7437D67B992097ACD8301F96D582722CFFBDD342C6AD802D754CED67CA518E9E3810B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U..:...i...i...i...i...iH..i...i...i...i...i...i...i...i...i...i...i...i...i9..iRich...i........PE..L....8.M...................
Icon Hash:00928e8e8686b000
Entrypoint:0x40a748
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x4D893897 [Wed Mar 23 00:02:31 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:a184390a2f68b5f0896cb1eef2c7a5f9
Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040B340h
push 0040A8D0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040B18Ch]
pop ecx
or dword ptr [0041FC5Ch], FFFFFFFFh
or dword ptr [0041FC60h], FFFFFFFFh
call dword ptr [0040B190h]
mov ecx, dword ptr [0041FC54h]
mov dword ptr [eax], ecx
call dword ptr [0040B194h]
mov ecx, dword ptr [0041FC50h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040B198h]
mov eax, dword ptr [eax]
mov dword ptr [0041FC58h], eax
call 00007FB114EA01DBh
cmp dword ptr [0040ED50h], ebx
jne 00007FB114EA00CEh
push 0040A8CAh
call dword ptr [0040B1A0h]
pop ecx
call 00007FB114EA01ADh
push 0040D01Ch
push 0040D018h
call 00007FB114EA0198h
mov eax, dword ptr [0041FC4Ch]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0041FC48h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0040B1A8h]
push 0040D014h
push 0040D000h
call 00007FB114EA0165h
Programming Language:
  • [ C ] VS98 (6.0) build 8168
  • [LNK] VS98 (6.0) imp/exp build 8168
  • [C++] VS98 (6.0) build 8168
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xb37c0x12c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000x103c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xb0000x33c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x99060x9a00198a927b8649d8063bc84af6ccce68caFalse0.5407873376623377data6.342151477327357IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xb0000x14020x1600060061190d2336964643d11838ab28dbFalse0.4094460227272727data4.930104357493168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xd0000x12c640x1e002ed0b24c2d0d936d3a80330a2c4cf414False0.5041666666666667data5.617314412980794IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x200000x12320x14008fa41d53f18efce2891c33de0ea64531False0.6896484375data6.095329781165165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
DLLImport
MSVCRT.dll_except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, strcpy, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, tolower, isspace, isprint, strrchr, vsprintf, calloc, _memicmp, strcat, strncmp, strtok, ??2@YAPAXI@Z, ??3@YAXPAX@Z, sscanf, isxdigit, memcmp, strncpy, strcmp, malloc, sprintf, strstr, free, srand, rand, memcpy, _snprintf, strlen, memset, atoi, _controlfp
WS2_32.dllinet_addr, closesocket, socket, inet_ntoa, gethostbyname, ntohs, ioctlsocket, connect, send, WSACleanup, htons, WSAStartup, sendto, select, recvfrom, getpeername
ntdll.dllRtlUnicodeStringToAnsiString, NtQueryInformationThread, NtWriteVirtualMemory, RtlFreeAnsiString
KERNEL32.dllGetLogicalDriveStringsA, lstrcpynA, GetCurrentProcessId, lstrlenA, HeapReAlloc, lstrcmpW, WideCharToMultiByte, ExitThread, HeapAlloc, HeapFree, MoveFileExA, CreateEventA, GetCommandLineA, GetVersionExA, UnlockFile, EnterCriticalSection, LeaveCriticalSection, DeleteFileA, WriteFile, CreateNamedPipeA, ConnectNamedPipe, ReadFile, DisconnectNamedPipe, GetModuleFileNameA, CreateFileA, GetFileSize, LockFile, InitializeCriticalSection, DeleteCriticalSection, DeviceIoControl, MultiByteToWideChar, CreateDirectoryA, GetFileAttributesA, FindClose, FindNextFileA, FindFirstFileA, SetCurrentDirectoryA, TerminateProcess, FreeLibrary, ResumeThread, SetThreadContext, WriteProcessMemory, ReadProcessMemory, GetModuleHandleA, FlushFileBuffers, GetStartupInfoA, CreateFileMappingA, OpenFileMappingA, MapViewOfFile, lstrcpyA, UnmapViewOfFile, GetProcessHeap, LoadLibraryA, ExpandEnvironmentStringsA, Sleep, CreateThread, GetTickCount, VirtualFree, VirtualAllocEx, VirtualAlloc, Process32Next, OpenProcess, CloseHandle, Process32First, CreateToolhelp32Snapshot, VirtualProtect, GetProcAddress, CreateRemoteThread, GetCurrentProcess, lstrcmpiA, ExitProcess, CopyFileA, SetFileAttributesA, CreateProcessA, GetLastError, OpenMutexA, ReleaseMutex, WaitForSingleObject, CreateMutexA, SetErrorMode, GetThreadContext
ADVAPI32.dllAdjustTokenPrivileges, OpenProcessToken, GetUserNameA, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegNotifyChangeKeyValue, RegSetValueExA, RegDeleteValueA, RegEnumValueA, LookupPrivilegeValueA
SHELL32.dllShellExecuteA, SHGetSpecialFolderPathA
PSAPI.DLLGetModuleFileNameExA
SHLWAPI.dllStrStrIA, PathAppendA, PathFindExtensionA, AssocQueryStringA, StrCmpNA, StrCmpNIA
WINTRUST.dllWinVerifyTrust
urlmon.dllObtainUserAgentString
WININET.dllHttpQueryInfoW, InternetOpenA, InternetOpenUrlA, InternetCloseHandle, HttpQueryInfoA, InternetReadFile, InternetQueryOptionA
USER32.dllUnregisterDeviceNotification, CreateWindowExA, RegisterDeviceNotificationA, GetMessageA, TranslateMessage, DispatchMessageA, DefWindowProcA, PostQuitMessage, RegisterClassExA, CharLowerBuffA
ole32.dllCoCreateInstance, CoUninitialize, CoInitialize
OLEAUT32.dllSysAllocStringLen, SysFreeString