Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ghXWQEsbaV.exe

Overview

General Information

Sample name:ghXWQEsbaV.exe
(renamed file extension from bin to exe, renamed because original name is a hash value)
Original sample name:2ccda41e7724e08b58cc1ab45785a994ed9aa02b26304b36842b744bba9c4f30.bin
Analysis ID:1579934
MD5:8dfeda23d5b11396a0ecb39ed563f539
SHA1:fe3abcdc59cd077ecf316cddba14d0b95c240951
SHA256:2ccda41e7724e08b58cc1ab45785a994ed9aa02b26304b36842b744bba9c4f30

Detection

Score:23
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

AI detected suspicious sample
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

  • System is w10x64
  • ghXWQEsbaV.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\ghXWQEsbaV.exe" MD5: 8DFEDA23D5B11396A0ECB39ED563F539)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 81.4% probability
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeFile created: C:\Users\user\AppData\Local\Temp\DeepL auto-start 0install Stub Error Log.txtJump to behavior
Source: ghXWQEsbaV.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: .pdbm source: ghXWQEsbaV.exe, 00000000.00000002.1670789355.000000000058A000.00000004.00000020.00020000.00000000.sdmp
Source: ghXWQEsbaV.exeString found in binary or memory: https://appdownload.deepl.com/windows/0install/deepl.xml
Source: ghXWQEsbaV.exe, 00000000.00000000.1666918884.0000000000046000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZeroInstall.Stub.exe4 vs ghXWQEsbaV.exe
Source: ghXWQEsbaV.exeBinary or memory string: OriginalFilenameZeroInstall.Stub.exe4 vs ghXWQEsbaV.exe
Source: classification engineClassification label: sus23.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ghXWQEsbaV.exe.logJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeMutant created: NULL
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeFile created: C:\Users\user\AppData\Local\Temp\DeepL auto-start 0install Stub Error Log.txtJump to behavior
Source: ghXWQEsbaV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ghXWQEsbaV.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ghXWQEsbaV.exeString found in binary or memory: run --no-wait --command auto-start https://appdownload.deepl.com/windows/0install/deepl.xml
Source: ghXWQEsbaV.exeString found in binary or memory: YDeepL auto-start 0install Stub Error Log.txt
Source: ghXWQEsbaV.exeString found in binary or memory: DeepL auto-start
Source: ghXWQEsbaV.exeString found in binary or memory: FileDescriptionDeepL auto-start0
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeFile read: C:\Users\user\Desktop\ghXWQEsbaV.exeJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: ghXWQEsbaV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ghXWQEsbaV.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ghXWQEsbaV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: .pdbm source: ghXWQEsbaV.exe, 00000000.00000002.1670789355.000000000058A000.00000004.00000020.00020000.00000000.sdmp
Source: ghXWQEsbaV.exeStatic PE information: 0xD5070209 [Sat Apr 3 19:31:21 2083 UTC]
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeFile created: C:\Users\user\AppData\Local\Temp\DeepL auto-start 0install Stub Error Log.txtJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeMemory allocated: 2160000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeMemory allocated: 1A160000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exe TID: 7468Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\ghXWQEsbaV.exeQueries volume information: C:\Users\user\Desktop\ghXWQEsbaV.exe VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
DLL Side-Loading
1
Masquerading
OS Credential Dumping31
Virtualization/Sandbox Evasion
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools
LSASS Memory11
System Information Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
ghXWQEsbaV.exe3%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://appdownload.deepl.com/windows/0install/deepl.xmlghXWQEsbaV.exefalse
    high
    No contacted IP infos
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1579934
    Start date and time:2024-12-23 15:58:39 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 40s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:1
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:ghXWQEsbaV.exe
    (renamed file extension from bin to exe, renamed because original name is a hash value)
    Original Sample Name:2ccda41e7724e08b58cc1ab45785a994ed9aa02b26304b36842b744bba9c4f30.bin
    Detection:SUS
    Classification:sus23.winEXE@1/2@0/0
    Cookbook Comments:
    • Stop behavior analysis, all processes terminated
    • VT rate limit hit for: ghXWQEsbaV.exe
    No simulations
    No context
    No context
    No context
    No context
    No context
    Process:C:\Users\user\Desktop\ghXWQEsbaV.exe
    File Type:CSV text
    Category:dropped
    Size (bytes):425
    Entropy (8bit):5.357964438493834
    Encrypted:false
    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
    MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
    SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
    SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
    SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..
    Process:C:\Users\user\Desktop\ghXWQEsbaV.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):385
    Entropy (8bit):4.76038877201441
    Encrypted:false
    SSDEEP:6:1KoUrG67QWoJPUWL2md8NeFsvwWL25FsvxTKouunKLNuqIg3ugv:1KtrG6s18WLf8MF9WLOFKbuubaugv
    MD5:5B853FACBA06192A5F57BE437B1A0969
    SHA1:6185E4904EBB97023969F4AA18CBAC0AB372FE7B
    SHA-256:3E67B1173CB937B8A1A2557BE2DDBD01AA6B7A535A8767CCF638215AF7AFE35E
    SHA-512:9932B12D18B1D25FA5728560AD773311EAD161563E8BA0E404B55AE5234290161A818025905E2F60CC064E9BB28EF709BEA0C10819DC762DF559B52A56635005
    Malicious:false
    Reputation:low
    Preview:System.ComponentModel.Win32Exception (0x80004005): The system cannot find the file specified.. at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo).. at System.Diagnostics.Process.Start(ProcessStartInfo startInfo).. at Program.RunInner(String fileName, String arguments, Boolean useShellExecute).. at Program.Run(String fileName, String arguments)..
    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Entropy (8bit):3.0210700326989395
    TrID:
    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    • Win32 Executable (generic) a (10002005/4) 49.78%
    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
    • Generic Win/DOS Executable (2004/3) 0.01%
    • DOS Executable Generic (2002/1) 0.01%
    File name:ghXWQEsbaV.exe
    File size:114'688 bytes
    MD5:8dfeda23d5b11396a0ecb39ed563f539
    SHA1:fe3abcdc59cd077ecf316cddba14d0b95c240951
    SHA256:2ccda41e7724e08b58cc1ab45785a994ed9aa02b26304b36842b744bba9c4f30
    SHA512:bb5b5865f299fc486e69158dffbf51f74926d93cbb4567779832267c21652a86be289b29bcc201caa9ba3400cd4d606868d47bdd9e98f9348e8312038d55279b
    SSDEEP:384:zc9+ge4TJZVhmuts+b92XSLJQEfnyWmTNKRwMF5cV6wwnUSrua+:kjjJsU6QJQEfnyWmWwMFIf5Sv+
    TLSH:C0B34B91BBA45124E6491BF9DBF607499A39AE6F09F14FAF25D031CD3F35670B023880
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..............-... ...@....@.. ....................... ............@................................
    Icon Hash:0f1b796379190f98
    Entrypoint:0x402dca
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Time Stamp:0xD5070209 [Sat Apr 3 19:31:21 2083 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
    Instruction
    jmp dword ptr [00402000h]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x2d780x4f.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x1ad9c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x2d5c0x1c.text
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x20000xdd00xe0070f367db8137cd033fac3b5a7e748b60False0.5627790178571429data5.077712279280708IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rsrc0x40000x1ad9c0x1ae00248b7edb1408acd431dcd5c52cf2188bFalse0.13791787790697674data2.8317596056991294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x200000xc0x200112b56e1ed4b9c2f300e035a12d055b0False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_ICON0x41a00x1fd0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.981827111984283
    RT_ICON0x61800x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 24188 x 24188 px/m0.0424257660002366
    RT_ICON0x169b80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 24188 x 24188 px/m0.08183750590458196
    RT_ICON0x1abf00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 24188 x 24188 px/m0.11369294605809128
    RT_ICON0x1d1a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 24188 x 24188 px/m0.15408067542213882
    RT_ICON0x1e2600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 24188 x 24188 px/m0.3067375886524823
    RT_GROUP_ICON0x1e6d80x5adata0.7666666666666667
    RT_VERSION0x1e7440x28cPGP symmetric key encrypted data - Plaintext or unencrypted data0.45245398773006135
    RT_MANIFEST0x1e9e00x3b8XML 1.0 document, ASCII text0.47058823529411764
    DLLImport
    mscoree.dll_CorExeMain
    No network behavior found

    Click to jump to process

    Click to jump to process

    Click to dive into process behavior distribution

    Target ID:0
    Start time:09:59:29
    Start date:23/12/2024
    Path:C:\Users\user\Desktop\ghXWQEsbaV.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\Desktop\ghXWQEsbaV.exe"
    Imagebase:0x30000
    File size:114'688 bytes
    MD5 hash:8DFEDA23D5B11396A0ECB39ED563F539
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    No disassembly