Windows
Analysis Report
kde.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
kde.exe (PID: 4768 cmdline:
"C:\Users\ user\Deskt op\kde.exe " MD5: 2A597D25BBECFCA9550DF0D6F48BCAFB) WerFault.exe (PID: 1880 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 768 -s 388 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security | ||
Click to see the 2 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security | ||
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security | ||
Click to see the 3 entries |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | File opened: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process created: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Key opened: | ||
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static file information: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Virtualization/Sandbox Evasion | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 25 System Information Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 1 Remote System Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
53% | ReversingLabs | Win32.Trojan.Azorult | ||
100% | Joe Sandbox ML |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 578630 |
Start date: | 25.02.2022 |
Start time: | 04:01:32 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 3s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | kde.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 21 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal60.troj.winEXE@2/6@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, a udiodg.exe, BackgroundTransfer Host.exe, WerFault.exe, WMIADA P.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wua pihost.exe - Excluded IPs from analysis (wh
itelisted): 23.211.6.115, 52.1 68.117.173 - Excluded domains from analysis
(whitelisted): ris.api.iris.m icrosoft.com, e12564.dspb.akam aiedge.net, onedsblobprdeus16. eastus.cloudapp.azure.com, log in.live.com, store-images.s-mi crosoft.com, blobcollector.eve nts.data.trafficmanager.net, c tldl.windowsupdate.com, store- images.s-microsoft.com-c.edgek ey.net, displaycatalog.mp.micr osoft.com, img-prod-cms-rt-mic rosoft-com.akamaized.net, wats on.telemetry.microsoft.com, ar c.msn.com - Not all processes where analyz
ed, report is missing behavior information - VT rate limit hit for: kde.ex
e
Time | Type | Description |
---|---|---|
04:02:41 | API Interceptor |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.766489995190086 |
Encrypted: | false |
SSDEEP: | 96:MF9F2NSxKbueJTJvhV97Y91pXIQcQ+c63fcE7cw3Y1S+HbHg/8BRTf3Oy1EISWb4:MnsNbXTyHQTfB01bju7/u7snS274ItU |
MD5: | B504A0E5BA4C3648778CB5F5A446987D |
SHA1: | 2E107E0759BE7669EB152933A331AAD34AA09E51 |
SHA-256: | EAF109DEB7BED7A68113126C9200C99D5C54B09689D51AC1A2DA4CBCBCDF5E17 |
SHA-512: | E4D84541FCA39BB3319E781D3F1B2C2590216B64938BAB11BE47957ECC7F0F00099DE4F5F23D01BDE39FE3B6733B850777EE2FFADD4B848DE7BF62278076E513 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 58470 |
Entropy (8bit): | 2.318560026717585 |
Encrypted: | false |
SSDEEP: | 384:718fOpfimJOVjucepyH+DaUjPchpGx9SuD1d:7mf0JONeMujPM4xUm |
MD5: | C989337E214D9026BFB380D7F9EFA4F9 |
SHA1: | 95B38FB53212A31943B7FE3CBC1F7ED53CBBCB36 |
SHA-256: | 2677337E95A02CB7B5F5E2DB1A6DA99410B3E1D13744982F297E692D84F26B4A |
SHA-512: | B75E80D80F27A066CD456D045BF920016371634A73FDC4524736AAEC0DE9EC97B1A8B81D245603BA8E30718F4E294B10515DFA1C11841C777247A76D1251DD26 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8270 |
Entropy (8bit): | 3.6896176509862144 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiejU6IaGKS6YF2SUwCgmfiS5B1dCprc89b4Rrsf+aBm:RrlsNiwU6Iae6Y0SUwCgmfiS5js4RwfC |
MD5: | 5A91703779555E7BDA1B2E7493AC2FB0 |
SHA1: | 47C2E7581A89201B26F6E5B12DA689A02CC4684C |
SHA-256: | A5BF80E412D12495D3BE2BF09F143C5E752AC6FDE543440439A432860F7BDACB |
SHA-512: | B7A5BF2BA63E511C3DC200B33E6B919D7B315680B2D08FF7AF691AAAFFC797D7AF0B6AEE2ED151FD195C38D532F20B4116616E8D91D8E89F36B0B63ADF0A6018 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4514 |
Entropy (8bit): | 4.419469536377917 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsArJgtWI9lxWSC8Bc8fm8M4JkXhxDwwFvx+q8tdtPVgZUW2ZVYydd:uITfAFCgSN3J0TwYxaxVo9sYydd |
MD5: | 8F4B2B65EA60534050B42307F6EEAAA9 |
SHA1: | F70CEA732847771465AAA04C5218B54C45A130CF |
SHA-256: | 3DE319F62760575062A56CF9D70583F574E244907719958030D0DB65BE56FE2B |
SHA-512: | CE62994FC342157853628F0122D79C7463C4AEB96BECF4F16D70DA3ADC0C3858823117127CFFC31BE5BB96DD959EC329BF56A7494054F9642DCE6CDF52B56173 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.274596008094446 |
Encrypted: | false |
SSDEEP: | 12288:1YC4PxHBCmuwj1aT1sYwceCDn4DHiprV1dIS84f/NmKMl1nmubD0D:2C4PxHBCmuwj1ajZ |
MD5: | 00A78A5AFE0DB01E1C6D7E6AC51E5B74 |
SHA1: | E16626A217A447B1B3BDBC0D788BB8B41A6D500A |
SHA-256: | 42440531FA4C8549679B141DC88035F17320503CC2F8ED741A7BDF7652273794 |
SHA-512: | FAB2BAFFB41612C49D7D02AA1103C08FF2930CE0DE5C2D925AE8E4C2098EC33B42F32B349A200A679FC568AC2114A30C7976FED1F4EBAF03B458342D28D8A1E0 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24576 |
Entropy (8bit): | 3.9795377567477153 |
Encrypted: | false |
SSDEEP: | 384:N+HW75Rftx14PJ4XbsBFn07kHPBqXISeq5QMVyiC+/5l4Lk4EZd1DoXzObImQac:uWFRftx1+J4X4BF07QBqXbeq5QMVyiCO |
MD5: | C9FA501851BD93D9322BB96A5BBDDB65 |
SHA1: | 9611146D66CCA69CD57844AEE695B1874F00F36D |
SHA-256: | 6BEFC25A01428E1414A54CAD4F38A65302155C9603ABE57E475F7DE07A630042 |
SHA-512: | E2B30A91B81C41E1B6321721246797ECDE2AB39C1BB9649A4AF457FD3A5A5F7F0E45098F7E983D6A4EEF760ED138A95A7A6FEDEB8B2E2877C59D05B1D0EA8886 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.635715788071644 |
TrID: |
|
File name: | kde.exe |
File size: | 1235968 |
MD5: | 2a597d25bbecfca9550df0d6f48bcafb |
SHA1: | 5aa68ba69c391a3bcc93e88378a4e4818a2a9181 |
SHA256: | 532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28 |
SHA512: | e5b2799fab9f63de7162d665ea5e8356d54c3ca368f58b4679211cd87521db4d9f80bf2c8104b32e3f3c4d712af2a971cff92406ad22a38295928376fa25b3b1 |
SSDEEP: | 24576:XPT/TXZ/ngay5PIhCPgI65AzwWK1fraAhdDRjH2Msfwpu:TTpgICiuGfrn7DRjWMVu |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............VB......VT......................VS......VC......VF.....Rich............................PE..L...._._........... |
Icon Hash: | c8d0d8e0f8e0f4e8 |
Entrypoint: | 0x40abe0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, NX_COMPAT |
Time Stamp: | 0x5FEE5FF6 [Thu Dec 31 23:34:14 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | bb691abe2029e4024abbec6edd66f52e |
Instruction |
---|
mov edi, edi |
push ebp |
mov ebp, esp |
call 00007F1320C1BC5Bh |
call 00007F1320C16786h |
pop ebp |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
mov edi, edi |
push ebp |
mov ebp, esp |
push FFFFFFFEh |
push 00424348h |
push 0040DEE0h |
mov eax, dword ptr fs:[00000000h] |
push eax |
add esp, FFFFFF94h |
push ebx |
push esi |
push edi |
mov eax, dword ptr [00510C94h] |
xor dword ptr [ebp-08h], eax |
xor eax, ebp |
push eax |
lea eax, dword ptr [ebp-10h] |
mov dword ptr fs:[00000000h], eax |
mov dword ptr [ebp-18h], esp |
mov dword ptr [ebp-70h], 00000000h |
mov dword ptr [ebp-04h], 00000000h |
lea eax, dword ptr [ebp-60h] |
push eax |
call dword ptr [004012A4h] |
mov dword ptr [ebp-04h], FFFFFFFEh |
jmp 00007F1320C16798h |
mov eax, 00000001h |
ret |
mov esp, dword ptr [ebp-18h] |
mov dword ptr [ebp-78h], 000000FFh |
mov dword ptr [ebp-04h], FFFFFFFEh |
mov eax, dword ptr [ebp-78h] |
jmp 00007F1320C168C8h |
mov dword ptr [ebp-04h], FFFFFFFEh |
call 00007F1320C16904h |
mov dword ptr [ebp-6Ch], eax |
push 00000001h |
call 00007F1320C1C87Ah |
add esp, 04h |
test eax, eax |
jne 00007F1320C1677Ch |
push 0000001Ch |
call 00007F1320C168BCh |
add esp, 04h |
call 00007F1320C1A994h |
test eax, eax |
jne 00007F1320C1677Ch |
push 00000010h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x24a4c | 0x3c | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x27da000 | 0x89b0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x27e3000 | 0x196c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x13d0 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x80b8 | 0x18 | .text |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x8070 | 0x40 | .text |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x37c | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x24f86 | 0x25000 | False | 0.428176467483 | data | 6.26658613282 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x26000 | 0x27b36c4 | 0xebc00 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x27da000 | 0x89b0 | 0x8a00 | False | 0.603374094203 | data | 5.73223003631 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x27e3000 | 0x14058 | 0x14200 | False | 0.0694026591615 | data | 0.903465809032 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_CURSOR | 0x27e0680 | 0x130 | data | ||
RT_CURSOR | 0x27e07b0 | 0xf0 | data | ||
RT_CURSOR | 0x27e08a0 | 0x10a8 | dBase III DBT, version number 0, next free block index 40 | ||
RT_CURSOR | 0x27e1978 | 0x8a8 | dBase III DBT, version number 0, next free block index 40, 1st item "\251\317" | ||
RT_ICON | 0x27da4b0 | 0x6c8 | data | ||
RT_ICON | 0x27dab78 | 0x568 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x27db0e0 | 0x10a8 | data | ||
RT_ICON | 0x27dc188 | 0x988 | dBase III DBT, version number 0, next free block index 40 | ||
RT_ICON | 0x27dcb10 | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x27dcfc8 | 0x25a8 | data | ||
RT_ICON | 0x27df570 | 0x10a8 | data | ||
RT_STRING | 0x27e2368 | 0x1ac | data | ||
RT_STRING | 0x27e2518 | 0x36c | data | ||
RT_STRING | 0x27e2888 | 0x128 | data | ||
RT_ACCELERATOR | 0x27e0660 | 0x20 | data | ||
RT_ACCELERATOR | 0x27e0640 | 0x20 | data | ||
RT_GROUP_CURSOR | 0x27e1948 | 0x30 | data | ||
RT_GROUP_CURSOR | 0x27e2220 | 0x14 | data | ||
RT_GROUP_ICON | 0x27dcf78 | 0x4c | data | ||
RT_GROUP_ICON | 0x27e0618 | 0x22 | data | ||
RT_VERSION | 0x27e2238 | 0x130 | data |
DLL | Import |
---|---|
KERNEL32.dll | LoadLibraryA, GetComputerNameExA, WriteProfileSectionA, GetNumaProcessorNode, FindFirstVolumeA, SetConsoleCursorInfo, HeapUnlock, FindFirstChangeNotificationA, WaitForSingleObject, GetNamedPipeHandleStateW, FileTimeToDosDateTime, EnumResourceTypesA, EnumResourceNamesW, ExitProcess, TerminateProcess, ActivateActCtx, GetVersionExW, VerifyVersionInfoW, SetConsoleOutputCP, ResetEvent, FindNextFileW, GetCompressedFileSizeA, CopyFileExA, ReadConsoleOutputCharacterA, GetDefaultCommConfigW, VerLanguageNameA, _hread, GetCommConfig, WritePrivateProfileStructA, FreeEnvironmentStringsW, CreateTimerQueue, FindVolumeClose, LeaveCriticalSection, WriteConsoleInputA, CancelWaitableTimer, SetComputerNameExW, FindAtomW, ReleaseMutex, LocalUnlock, CallNamedPipeW, BuildCommDCBAndTimeoutsA, VirtualProtect, LocalAlloc, TlsSetValue, GetCommandLineA, InterlockedIncrement, CopyFileA, AddRefActCtx, OutputDebugStringW, FormatMessageA, GetPriorityClass, WritePrivateProfileStringW, GetSystemDefaultLangID, TerminateThread, GlobalUnfix, HeapValidate, _hwrite, GetWindowsDirectoryA, GetStartupInfoW, CreatePipe, GetCPInfoExW, GetSystemWindowsDirectoryA, GetSystemWow64DirectoryA, GetLastError, GetCalendarInfoW, DebugBreak, GetConsoleCursorInfo, GetTickCount, DeleteVolumeMountPointA, OpenFileMappingW, ContinueDebugEvent, GetSystemWindowsDirectoryW, CopyFileW, SetMailslotInfo, AddConsoleAliasA, GetPrivateProfileIntW, ReadConsoleInputW, OutputDebugStringA, InterlockedDecrement, DefineDosDeviceA, SetVolumeMountPointA, SetThreadAffinityMask, SetConsoleActiveScreenBuffer, SetProcessAffinityMask, EnumResourceNamesA, GetThreadContext, GetLongPathNameW, SetConsoleTextAttribute, LoadLibraryW, EndUpdateResourceW, WaitForDebugEvent, ReadConsoleA, WriteConsoleA, InterlockedFlushSList, WritePrivateProfileSectionA, GetPrivateProfileStructA, DeleteCriticalSection, GetPrivateProfileSectionNamesA, GetDriveTypeW, GetFileAttributesExA, LocalFileTimeToFileTime, GetVolumePathNameA, GetConsoleMode, HeapSetInformation, GetComputerNameA, ProcessIdToSessionId, ReadProcessMemory, MoveFileExW, DisableThreadLibraryCalls, GlobalFix, WriteConsoleInputW, GlobalDeleteAtom, GetEnvironmentStrings, InterlockedExchangeAdd, WaitNamedPipeW, GetPrivateProfileStructW, GetExitCodeProcess, GetSystemTimeAsFileTime, GetLocalTime, EnumCalendarInfoExA, FreeEnvironmentStringsA, CreateIoCompletionPort, OpenSemaphoreA, GetMailslotInfo, GetCommModemStatus, lstrcpyA, HeapWalk, LockFile, EndUpdateResourceA, VerSetConditionMask, GetConsoleCP, GetConsoleAliasW, GetNumberOfConsoleInputEvents, GetProfileStringA, GetQueuedCompletionStatus, AllocConsole, GetNumaNodeProcessorMask, CreateMailslotW, EnumDateFormatsW, SetCommState, FileTimeToLocalFileTime, IsDebuggerPresent, GetSystemTimeAdjustment, _lread, GetConsoleAliasExesLengthA, GetWriteWatch, GetModuleHandleA, GetPrivateProfileStringA, ReadConsoleOutputAttribute, GetFileInformationByHandle, GetProfileStringW, MoveFileA, CreateActCtxW, SetCommMask, SetMessageWaitingIndicator, SetFileApisToANSI, OpenWaitableTimerW, GetProcessShutdownParameters, PeekNamedPipe, FillConsoleOutputCharacterW, FindNextVolumeMountPointA, GetThreadPriority, DeleteAtom, AddAtomW, WriteConsoleOutputCharacterW, QueryDosDeviceA, GetConsoleAliasExesW, GetBinaryTypeA, RaiseException, GetStartupInfoA, IsBadReadPtr, EnterCriticalSection, GetModuleFileNameW, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleW, Sleep, GetProcAddress, TlsGetValue, TlsAlloc, GetCurrentThreadId, TlsFree, SetLastError, SetHandleCount, GetStdHandle, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetModuleFileNameA, WideCharToMultiByte, GetEnvironmentStringsW, HeapDestroy, HeapCreate, HeapFree, VirtualFree, WriteFile, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, RtlUnwind, InitializeCriticalSectionAndSpinCount, WriteConsoleW, SetFilePointer, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, GetConsoleOutputCP, CloseHandle, CreateFileA |
USER32.dll | OemToCharW |
Description | Data |
---|---|
Translations | 0x0025 0x023e |
Click to jump to process
Target ID: | 0 |
Start time: | 04:02:28 |
Start date: | 25/02/2022 |
Path: | C:\Users\user\Desktop\kde.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1235968 bytes |
MD5 hash: | 2A597D25BBECFCA9550DF0D6F48BCAFB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Yara matches: |
|
Reputation: | low |
Target ID: | 5 |
Start time: | 04:02:37 |
Start date: | 25/02/2022 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x300000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |