Loading ...

Play interactive tourEdit tour

Windows Analysis Report dngqoAXyDd.exe

Overview

General Information

Sample Name:dngqoAXyDd.exe
Analysis ID:516930
MD5:0afbb383c5cea9f11202d572141bb0f4
SHA1:148266112b25087f10ac1124ea32630e48fb0bd9
SHA256:6a910ec8055b3844e3dd14c7af08a68110abc9395a88ab9199e69ed07be27210
Tags:exetop147TrickBot
Infos:

Most interesting Screenshot:

Detection

TrickBot
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Trickbot
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Tries to detect virtualization through RDTSC time measurements
Found potential dummy code loops (likely to delay analysis)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Program does not show much activity (idle)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • dngqoAXyDd.exe (PID: 4872 cmdline: "C:\Users\user\Desktop\dngqoAXyDd.exe" MD5: 0AFBB383C5CEA9F11202D572141BB0F4)
    • wermgr.exe (PID: 5784 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
    • cmd.exe (PID: 6396 cmdline: C:\Windows\system32\cmd.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"ver": "100019", "gtag": "top147", "servs": ["65.152.201.203:443", "185.56.175.122:443", "46.99.175.217:443", "179.189.229.254:443", "46.99.175.149:443", "181.129.167.82:443", "216.166.148.187:443", "46.99.188.223:443", "128.201.76.252:443", "62.99.79.77:443", "60.51.47.65:443", "24.162.214.166:443", "45.36.99.184:443", "97.83.40.67:443", "184.74.99.214:443", "103.105.254.17:443", "62.99.76.213:443", "82.159.149.52:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4="}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmpMalware Configuration Extractor: Trickbot {"ver": "100019", "gtag": "top147", "servs": ["65.152.201.203:443", "185.56.175.122:443", "46.99.175.217:443", "179.189.229.254:443", "46.99.175.149:443", "181.129.167.82:443", "216.166.148.187:443", "46.99.188.223:443", "128.201.76.252:443", "62.99.79.77:443", "60.51.47.65:443", "24.162.214.166:443", "45.36.99.184:443", "97.83.40.67:443", "184.74.99.214:443", "103.105.254.17:443", "62.99.76.213:443", "82.159.149.52:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4="}
    Multi AV Scanner detection for submitted fileShow sources
    Source: dngqoAXyDd.exeReversingLabs: Detection: 28%
    Source: dngqoAXyDd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: dngqoAXyDd.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: c:\sample exe lego\correctmodel.pdb source: dngqoAXyDd.exe
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ebx, edx
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ecx, byte ptr [ebp-07h]
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov byte ptr [esp+ecx+70h], cl
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
    Source: dngqoAXyDd.exe, 00000000.00000002.374383373.0000000000BCA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: dngqoAXyDd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: dngqoAXyDd.exe, 00000000.00000000.349339594.0000000000210000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe
    Source: dngqoAXyDd.exeBinary or memory string: OriginalFilenamecorrect.dll( vs dngqoAXyDd.exe
    Source: dngqoAXyDd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: dngqoAXyDd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: dngqoAXyDd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: dngqoAXyDd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A911C
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019C201
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A82BD
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A941B
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019C5D3
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A16DE
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A880E
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0018C950
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019C9BB
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019B9CE
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001ABBF1
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00195C19
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A4D22
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A7D6E
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A9E7F
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019BE63
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_001A8EA1
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00B33168
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C2F30
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18CC750
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D4260
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E4CF0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C1030
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DE47D
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D73A0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C3BB0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E33D0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DE3F0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D17F0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D740C
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C4730
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C7340
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E5F60
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D7760
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D1EA0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E52C0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D5AC0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D7EE0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18CF700
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E4B10
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D9A80
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18CFE8E
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D51A0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18E45D0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D35D0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18C79D0
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18D0A00
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DB920
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DED70
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: String function: 001975F5 appears 32 times
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: String function: 001943E0 appears 58 times
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18CC750 NtQuerySystemInformation,DuplicateHandle,FindCloseChangeNotification,RtlDeleteBoundaryDescriptor,
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DC550 NtDelayExecution,
    Source: C:\Windows\System32\wermgr.exeProcess Stats: CPU usage > 98%
    Source: dngqoAXyDd.exeReversingLabs: Detection: 28%
    Source: dngqoAXyDd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Users\user\Desktop\dngqoAXyDd.exe "C:\Users\user\Desktop\dngqoAXyDd.exe"
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
    Source: dngqoAXyDd.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18CF3C0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,
    Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1E3DF0E8-5598-5F45-953F-FB33A6DDAB0E}
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00181E80 GetDC,KiUserCallbackDispatcher,GetSystemMetrics,FindResourceA,FindResourceA,FindResourceA,FindResourceA,FindResourceA,VirtualAlloc,SizeofResource,LoadResource,_memmove,SHGetFolderPathA,
    Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformation
    Source: classification engineClassification label: mal80.troj.evad.winEXE@5/0@0/0
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: dngqoAXyDd.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: dngqoAXyDd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: c:\sample exe lego\correctmodel.pdb source: dngqoAXyDd.exe
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00190093 pushad ; ret
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0018D0DF push ecx; ret
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00194425 push ecx; ret
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019CEE1 push 510019C7h; retf
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00B50390 push dword ptr [edx+14h]; ret
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DDF22 push esp; iretd
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019DD3C DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary,

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 00000239A18DADA0 second address: 00000239A18DADA0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec eax 0x0000000b mov esi, eax 0x0000000d call dword ptr [000209CAh] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b mov ebp, eax 0x0000002d dec eax 0x0000002e mov ebx, esi 0x00000030 dec eax 0x00000031 xor ebx, FFFFFF00h 0x00000037 dec eax 0x00000038 and ebx, esi 0x0000003a call 00007FD4D503444Bh 0x0000003f rdtsc
    Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
    Source: C:\Windows\System32\wermgr.exeFunction Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,languageOrLocalQueried,languageOrLocalQueried,adjustToken,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,threadInformationSet,threadInformationSet,threadDelayed,threadDelayed
    Source: C:\Users\user\Desktop\dngqoAXyDd.exe TID: 204Thread sleep count: 140 > 30
    Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,RtlDeleteBoundaryDescriptor,
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DADA0 rdtsc
    Source: wermgr.exe, 00000001.00000002.620774308.00000239A1AE0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Windows\System32\wermgr.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019293C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019DD3C DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary,
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DADA0 rdtsc
    Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000239A18DA280 LdrLoadDll,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019676A SetUnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0019293C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_0018CFF8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeMemory written: C:\Windows\System32\wermgr.exe base: 239A18C0000
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeMemory written: C:\Windows\System32\wermgr.exe base: 7FF7AE922860
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
    Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmpBinary or memory string: &Program Manager
    Source: wermgr.exe, 00000001.00000002.620961764.00000239A2120000.00000002.00020000.sdmpBinary or memory string: Progmanlock
    Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: EnumSystemLocalesA,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: GetLocaleInfoA,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
    Source: C:\Users\user\Desktop\dngqoAXyDd.exeCode function: 0_2_00197022 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

    Stealing of Sensitive Information:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsNative API11Path InterceptionAccess Token Manipulation1Disable or Modify Tools1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Virtualization/Sandbox Evasion111LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Access Token Manipulation1Security Account ManagerVirtualization/Sandbox Evasion111SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery123VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    dngqoAXyDd.exe29%ReversingLabsWin32.Trojan.Trickpak

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:516930
    Start date:06.11.2021
    Start time:15:02:51
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 6m 52s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:dngqoAXyDd.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:21
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal80.troj.evad.winEXE@5/0@0/0
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 18.1% (good quality ratio 16.9%)
    • Quality average: 83.1%
    • Quality standard deviation: 28.2%
    HCA Information:
    • Successful, ratio: 67%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, dual-a-0001.dc-msedge.net, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/516930/sample/dngqoAXyDd.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    15:04:04API Interceptor1x Sleep call for process: dngqoAXyDd.exe modified
    15:04:04API Interceptor1x Sleep call for process: wermgr.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.167416806599989
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:dngqoAXyDd.exe
    File size:652800
    MD5:0afbb383c5cea9f11202d572141bb0f4
    SHA1:148266112b25087f10ac1124ea32630e48fb0bd9
    SHA256:6a910ec8055b3844e3dd14c7af08a68110abc9395a88ab9199e69ed07be27210
    SHA512:702447b6e1313224d4c8084f716d8d838090c7bd9fb3558c6ab4553ce3676bb5fe1c2ebde61e4ed8b7bb6d3d7f1dfd11c434e5e0f9b7baa2511a12fd1c501880
    SSDEEP:12288:AjX3XdmePk2BSPkno2voTFa24aZZTUQxIpTLY0E5pM:2HXgASPMNvoTFFjT8tLYNH
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u.......b.....&.....|...r...u...#.....'.G.......t...u...t.......t...Richu...................PE..L....(.a...........

    File Icon

    Icon Hash:0000000000000000

    Static PE Info

    General

    Entrypoint:0x40cfee
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
    DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Time Stamp:0x618528F1 [Fri Nov 5 12:52:01 2021 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:1
    File Version Major:5
    File Version Minor:1
    Subsystem Version Major:5
    Subsystem Version Minor:1
    Import Hash:2a49715e49b2891839bf716e121ca434

    Entrypoint Preview

    Instruction
    call 00007FD4D5055364h
    jmp 00007FD4D504B1BEh
    cmp ecx, dword ptr [00443AD4h]
    jne 00007FD4D504B334h
    rep ret
    jmp 00007FD4D50553EBh
    push eax
    push dword ptr fs:[00000000h]
    lea eax, dword ptr [esp+0Ch]
    sub esp, dword ptr [esp+0Ch]
    push ebx
    push esi
    push edi
    mov dword ptr [eax], ebp
    mov ebp, eax
    mov eax, dword ptr [00443AD4h]
    xor eax, ebp
    push eax
    push dword ptr [ebp-04h]
    mov dword ptr [ebp-04h], FFFFFFFFh
    lea eax, dword ptr [ebp-0Ch]
    mov dword ptr fs:[00000000h], eax
    ret
    push eax
    push dword ptr fs:[00000000h]
    lea eax, dword ptr [esp+0Ch]
    sub esp, dword ptr [esp+0Ch]
    push ebx
    push esi
    push edi
    mov dword ptr [eax], ebp
    mov ebp, eax
    mov eax, dword ptr [00443AD4h]
    xor eax, ebp
    push eax
    mov dword ptr [ebp-10h], esp
    push dword ptr [ebp-04h]
    mov dword ptr [ebp-04h], FFFFFFFFh
    lea eax, dword ptr [ebp-0Ch]
    mov dword ptr fs:[00000000h], eax
    ret
    push eax
    push dword ptr fs:[00000000h]
    lea eax, dword ptr [esp+0Ch]
    sub esp, dword ptr [esp+0Ch]
    push ebx
    push esi
    push edi
    mov dword ptr [eax], ebp
    mov ebp, eax
    mov eax, dword ptr [00443AD4h]
    xor eax, ebp
    push eax
    mov dword ptr [ebp-10h], eax
    push dword ptr [ebp-04h]
    mov dword ptr [ebp-04h], FFFFFFFFh
    lea eax, dword ptr [ebp-0Ch]
    mov dword ptr fs:[00000000h], eax
    ret
    push eax
    push dword ptr fs:[00000000h]
    lea eax, dword ptr [esp+0Ch]
    sub esp, dword ptr [esp+0Ch]

    Rich Headers

    Programming Language:
    • [LNK] VS2010 build 30319
    • [ASM] VS2010 build 30319
    • [ C ] VS2010 build 30319
    • [C++] VS2010 build 30319
    • [RES] VS2010 build 30319
    • [IMP] VS2008 SP1 build 30729

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x480000x50.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000x59689.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa30000x1db0.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x3b0a00x1c.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3ea500x40.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x4826c0x21c.idata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x382bb0x38400False0.395729166667data5.67953550398IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .rdata0x3a0000x80820x8200False0.237379807692data3.46352247423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x430000x45980x2000False0.2734375data3.48353069957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .idata0x480000xc7b0xe00False0.318080357143data4.19163051635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x490000x596890x59800False0.644514883031data6.09524824059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0xa30000x25c60x2600False0.625616776316data5.79339854832IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x906e00x2e8data
    RT_ICON0x909c80x1e8data
    RT_ICON0x90bb00x128GLS_BINARY_LSB_FIRST
    RT_ICON0x90cd80x6c8data
    RT_ICON0x913a00x568GLS_BINARY_LSB_FIRST
    RT_ICON0x919080x988data
    RT_ICON0x922900xca8data
    RT_ICON0x92f380xf0data
    RT_ICON0x930280xd0data
    RT_ICON0x930f80xb0GLS_BINARY_LSB_FIRST
    RT_ICON0x931a80x368GLS_BINARY_LSB_FIRST
    RT_MESSAGETABLE0x495180x471c6data
    RT_GROUP_ICON0x935100xa0data
    RT_VERSION0x935b00x270dataEnglishUnited States
    RT_MANIFEST0x495100x2Little-endian UTF-16 Unicode text, with no line terminatorsEnglishUnited States

    Imports

    DLLImport
    KERNEL32.dllMultiByteToWideChar, lstrlenA, LoadResource, SizeofResource, VirtualAlloc, FindResourceA, SetStdHandle, WriteConsoleW, LoadLibraryW, FreeLibrary, SetConsoleCtrlHandler, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, EncodePointer, DecodePointer, Sleep, InterlockedExchange, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InterlockedCompareExchange, GetLastError, HeapAlloc, RtlUnwind, RaiseException, HeapFree, GetCommandLineA, HeapSetInformation, GetStartupInfoW, LCMapStringW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, GetCurrentThread, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, HeapDestroy, IsProcessorFeaturePresent, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, FatalAppExitA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, ReadFile, SetFilePointer, CloseHandle, HeapSize, GetLocaleInfoW, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetStringTypeW, HeapReAlloc, CreateFileW
    USER32.dllGetSystemMetrics, GetDC
    SHELL32.dllSHGetFolderPathA

    Version Infos

    DescriptionData
    InternalNamecorrect.dll
    FileVersion1.85.0.158
    CompanyNameol3 corp.
    ProductNameol3
    ProductVersion1.8.80.158
    FileDescriptionrne topd netikoe
    OriginalFilenamecorrect.dll
    Translation0x0409 0x04b0

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    Behavior

    Click to jump to process

    System Behavior

    General

    Start time:15:03:52
    Start date:06/11/2021
    Path:C:\Users\user\Desktop\dngqoAXyDd.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\dngqoAXyDd.exe"
    Imagebase:0x180000
    File size:652800 bytes
    MD5 hash:0AFBB383C5CEA9F11202D572141BB0F4
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000000.00000002.374239555.0000000000B31000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    General

    Start time:15:03:58
    Start date:06/11/2021
    Path:C:\Windows\System32\wermgr.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\wermgr.exe
    Imagebase:0x7ff7ae910000
    File size:209312 bytes
    MD5 hash:FF214585BF10206E21EA8EBA202FACFD
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:15:04:00
    Start date:06/11/2021
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\cmd.exe
    Imagebase:0x7ff7180e0000
    File size:273920 bytes
    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Code Analysis

    Reset < >