Windows
Analysis Report
main.exe
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
main.exe (PID: 8384 cmdline:
"C:\Users\ user\Deskt op\main.ex e" MD5: 087340A168CEE0B901154E924AB0066A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
- • AV Detection
- • Bitcoin Miner
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | IP Address: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static file information: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Software Packing | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 1 Ingress Tool Transfer | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
62% | Virustotal | Browse | ||
27% | ReversingLabs | Win32.Trojan.DisguisedXMRigMiner | ||
100% | Avira | HEUR/AGEN.1314659 |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
dualstack.c.sni.global.fastly.net | 151.101.2.49 | true | false | high | |
curl.haxx.se | unknown | unknown | false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
151.101.2.49 | dualstack.c.sni.global.fastly.net | United States | 54113 | FASTLYUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1634005 |
Start date and time: | 2025-03-10 17:45:18 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 30s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | main.exe |
Detection: | MAL |
Classification: | mal68.mine.winEXE@1/0@1/1 |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, B ackgroundTransferHost.exe, WMI ADAP.exe, SIHClient.exe, backg roundTaskHost.exe, conhost.exe - Excluded domains from analysis
(whitelisted): c2a9c95e369881 c67228a6591cac2686.clo.footpri ntdns.com, ax-ring.msedge.net, slscr.update.microsoft.com, g .bing.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtSetInformationFile c alls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
151.101.2.49 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | HTMLPhisher | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | HTMLPhisher | Browse | |||
Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
FASTLYUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Gabagool | Browse |
| ||
Get hash | malicious | Gabagool | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
|
File type: | |
Entropy (8bit): | 7.998434681660803 |
TrID: |
|
File name: | main.exe |
File size: | 9'991'211 bytes |
MD5: | 087340a168cee0b901154e924ab0066a |
SHA1: | 4bf3bb2510fbf695c4bf5dc5bad273a1059c4ed1 |
SHA256: | 685a1c671eae3f59a4a73a2239b4fe53c1aaa0242038bb6ace23aa7634423018 |
SHA512: | 4411b96cb39085aadbb4387cbc4b6c59ad67c2fdb6b93368ff1de2edb54b65d93197a1be6e6286452d12d4e5dda7e00797d9eb5e82ee8041273517bd7eafdfd5 |
SSDEEP: | 196608:PYCbGn17upv2hYiEKkqflPbMQQQz9bjtOOyGl60XtANGj81OjWadjRef0MU:PYN7iCYJqdMQ7k5WtAs81OjWaTef0MU |
TLSH: | BCA633A481FE4139F377E3B14957CE8A52C4433E125FD12A6F1143E598FF2E86B9062A |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}....H...H...H.i.H...H.i.H...H.i.H...H...H...H...H...H.i.H...H.i.H...H.i.H...H.i.H...HRich...H................PE..L...QzFT... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x6a69e0 |
Entrypoint Section: | UPX1 |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x54467A51 [Tue Oct 21 15:22:57 2014 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 49340a9d9aeedc9a43057c7d7201cff0 |
Instruction |
---|
pushad |
mov esi, 0058A000h |
lea edi, dword ptr [esi-00189000h] |
push edi |
jmp 00007F6404F0B06Dh |
nop |
mov al, byte ptr [esi] |
inc esi |
mov byte ptr [edi], al |
inc edi |
add ebx, ebx |
jne 00007F6404F0B069h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F6404F0B04Fh |
mov eax, 00000001h |
add ebx, ebx |
jne 00007F6404F0B069h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc eax, eax |
add ebx, ebx |
jnc 00007F6404F0B06Dh |
jne 00007F6404F0B08Ah |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F6404F0B081h |
dec eax |
add ebx, ebx |
jne 00007F6404F0B069h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc eax, eax |
jmp 00007F6404F0B036h |
add ebx, ebx |
jne 00007F6404F0B069h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
jmp 00007F6404F0B0B4h |
xor ecx, ecx |
sub eax, 03h |
jc 00007F6404F0B073h |
shl eax, 08h |
mov al, byte ptr [esi] |
inc esi |
xor eax, FFFFFFFFh |
je 00007F6404F0B0D7h |
sar eax, 1 |
mov ebp, eax |
jmp 00007F6404F0B06Dh |
add ebx, ebx |
jne 00007F6404F0B069h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F6404F0B02Eh |
inc ecx |
add ebx, ebx |
jne 00007F6404F0B069h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F6404F0B020h |
add ebx, ebx |
jne 00007F6404F0B069h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
add ebx, ebx |
jnc 00007F6404F0B051h |
jne 00007F6404F0B06Bh |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jnc 00007F6404F0B046h |
add ecx, 02h |
cmp ebp, FFFFFB00h |
adc ecx, 02h |
lea edx, dword ptr [edi+ebp] |
cmp ebp, FFFFFFFCh |
jbe 00007F6404F0B070h |
mov al, byte ptr [edx] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x4a60 | 0x54c | UPX0 |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2a70d4 | 0x124 | .rsrc |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2a7000 | 0xd4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2a71f8 | 0x10 | .rsrc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2a6bbc | 0x48 | UPX1 |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
UPX0 | 0x1000 | 0x189000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
UPX1 | 0x18a000 | 0x11d000 | 0x11ce00 | 8a6731f7c2052b892ad41956a6f24db6 | False | 0.9856185210070206 | data | 7.953761973137751 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x2a7000 | 0x1000 | 0x400 | d3c3a49a0ee05a67b3ba9e4e63c0866d | False | 0.2900390625 | Matlab v4 mat-file (little endian) , numeric, rows 0, columns 4, imaginary | 2.25128560659012 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
PYTHON34.DLL | 0x70d4 | 0x29b400 | empty | 0 | ||
PYTHONSCRIPT | 0x2a24d4 | 0x124a | data | 0.9920973942759505 |
DLL | Import |
---|---|
KERNEL32.DLL | LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect |
MSVCR100.dll | exit |
SHELL32.dll | CommandLineToArgvW |
USER32.dll | GetFocus |
Download Network PCAP: filtered – full
- Total Packets: 9
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 10, 2025 17:46:15.857577085 CET | 49708 | 80 | 192.168.2.5 | 151.101.2.49 |
Mar 10, 2025 17:46:15.862633944 CET | 80 | 49708 | 151.101.2.49 | 192.168.2.5 |
Mar 10, 2025 17:46:15.863986969 CET | 49708 | 80 | 192.168.2.5 | 151.101.2.49 |
Mar 10, 2025 17:46:15.864088058 CET | 49708 | 80 | 192.168.2.5 | 151.101.2.49 |
Mar 10, 2025 17:46:15.869087934 CET | 80 | 49708 | 151.101.2.49 | 192.168.2.5 |
Mar 10, 2025 17:46:16.353230953 CET | 80 | 49708 | 151.101.2.49 | 192.168.2.5 |
Mar 10, 2025 17:46:16.353414059 CET | 80 | 49708 | 151.101.2.49 | 192.168.2.5 |
Mar 10, 2025 17:46:16.353482962 CET | 49708 | 80 | 192.168.2.5 | 151.101.2.49 |
Mar 10, 2025 17:46:16.357072115 CET | 49708 | 80 | 192.168.2.5 | 151.101.2.49 |
Mar 10, 2025 17:46:16.362246037 CET | 80 | 49708 | 151.101.2.49 | 192.168.2.5 |
Mar 10, 2025 17:46:17.003238916 CET | 49709 | 443 | 192.168.2.5 | 151.101.2.49 |
Mar 10, 2025 17:46:17.003324032 CET | 443 | 49709 | 151.101.2.49 | 192.168.2.5 |
Mar 10, 2025 17:46:17.003437996 CET | 49709 | 443 | 192.168.2.5 | 151.101.2.49 |
Mar 10, 2025 17:46:17.003882885 CET | 49709 | 443 | 192.168.2.5 | 151.101.2.49 |
Mar 10, 2025 17:46:17.003909111 CET | 443 | 49709 | 151.101.2.49 | 192.168.2.5 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 10, 2025 17:46:15.836735010 CET | 56403 | 53 | 192.168.2.5 | 1.1.1.1 |
Mar 10, 2025 17:46:15.846478939 CET | 53 | 56403 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 10, 2025 17:46:15.836735010 CET | 192.168.2.5 | 1.1.1.1 | 0x5cec | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 10, 2025 17:46:15.846478939 CET | 1.1.1.1 | 192.168.2.5 | 0x5cec | No error (0) | dualstack.c.sni.global.fastly.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 10, 2025 17:46:15.846478939 CET | 1.1.1.1 | 192.168.2.5 | 0x5cec | No error (0) | 151.101.2.49 | A (IP address) | IN (0x0001) | false | ||
Mar 10, 2025 17:46:15.846478939 CET | 1.1.1.1 | 192.168.2.5 | 0x5cec | No error (0) | 151.101.66.49 | A (IP address) | IN (0x0001) | false | ||
Mar 10, 2025 17:46:15.846478939 CET | 1.1.1.1 | 192.168.2.5 | 0x5cec | No error (0) | 151.101.130.49 | A (IP address) | IN (0x0001) | false | ||
Mar 10, 2025 17:46:15.846478939 CET | 1.1.1.1 | 192.168.2.5 | 0x5cec | No error (0) | 151.101.194.49 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.5 | 49708 | 151.101.2.49 | 80 | 8384 | C:\Users\user\Desktop\main.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Mar 10, 2025 17:46:15.864088058 CET | 128 | OUT | |
Mar 10, 2025 17:46:16.353230953 CET | 409 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 12:46:13 |
Start date: | 10/03/2025 |
Path: | C:\Users\user\Desktop\main.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbc0000 |
File size: | 9'991'211 bytes |
MD5 hash: | 087340A168CEE0B901154E924AB0066A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |