Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: CobaltStrike {"C2Server": "http://119.45.147.28:443/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n"} |
Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n", "Type": "Metasploit Download", "URL": "http://119.45.147.28/jquery-3.3.2.slim.min.js"} |
Source: 5Uvn8Uyob8.exe |
ReversingLabs: Detection: 31% |
Source: 5Uvn8Uyob8.exe |
Virustotal: Detection: 32% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.8% probability |
Source: 5Uvn8Uyob8.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872ED440 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
0_2_00007FF6872ED440 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872ED2BC FindFirstFileExW, |
0_2_00007FF6872ED2BC |
Source: Malware configuration extractor |
URLs: http://119.45.147.28:443/jquery-3.3.2.slim.min.js |
Source: Malware configuration extractor |
URLs: http://119.45.147.28/jquery-3.3.2.slim.min.js |
Source: Joe Sandbox View |
ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 119.45.147.28:443 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49737 -> 119.45.147.28:443 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49739 -> 119.45.147.28:443 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 119.45.147.28:443 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://code.jquery.com/ |
Source: 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://code.jquery.com/Rs |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDABB000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/ |
Source: 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/F |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/e |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsM |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsY |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsd4_ |
Source: 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsi |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDABB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsm: |
Source: 5Uvn8Uyob8.exe, 00000000.00000003.2349419346.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsu |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/query-3.3.2.slim.min.js1 |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/su |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872E4F60 NtDelayExecution, |
0_2_00007FF6872E4F60 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872E549A NtAllocateVirtualMemory,NtProtectVirtualMemory,CreateFiber, |
0_2_00007FF6872E549A |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872F3F98 |
0_2_00007FF6872F3F98 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872ED440 |
0_2_00007FF6872ED440 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872E82B4 |
0_2_00007FF6872E82B4 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872ED2BC |
0_2_00007FF6872ED2BC |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_0000021DEDA7010C |
0_2_0000021DEDA7010C |
Source: 5Uvn8Uyob8.exe |
Static PE information: invalid certificate |
Source: 5Uvn8Uyob8.exe |
Binary or memory string: OriginalFilename vs 5Uvn8Uyob8.exe |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamemsedge.exe> vs 5Uvn8Uyob8.exe |
Source: 5Uvn8Uyob8.exe |
Binary or memory string: OriginalFilenamemsedge.exe> vs 5Uvn8Uyob8.exe |
Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: classification engine |
Classification label: mal88.troj.winEXE@2/0@0/1 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03 |
Source: 5Uvn8Uyob8.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 5Uvn8Uyob8.exe |
ReversingLabs: Detection: 31% |
Source: 5Uvn8Uyob8.exe |
Virustotal: Detection: 32% |
Source: unknown |
Process created: C:\Users\user\Desktop\5Uvn8Uyob8.exe "C:\Users\user\Desktop\5Uvn8Uyob8.exe" |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: 5Uvn8Uyob8.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: 5Uvn8Uyob8.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: 5Uvn8Uyob8.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 5Uvn8Uyob8.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 5Uvn8Uyob8.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 5Uvn8Uyob8.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 5Uvn8Uyob8.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: 5Uvn8Uyob8.exe |
Static PE information: section name: .00cfg |
Source: 5Uvn8Uyob8.exe |
Static PE information: section name: .gxfg |
Source: 5Uvn8Uyob8.exe |
Static PE information: section name: .retplne |
Source: 5Uvn8Uyob8.exe |
Static PE information: section name: _RDATA |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_0000021DEDA7012B push eax; ret |
0_2_0000021DEDA70387 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_0000021DEDA7010C push eax; ret |
0_2_0000021DEDA70387 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
API coverage: 7.2 % |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe TID: 7500 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872ED440 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
0_2_00007FF6872ED440 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872ED2BC FindFirstFileExW, |
0_2_00007FF6872ED2BC |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872E4BF0 GetSystemInfo, |
0_2_00007FF6872E4BF0 |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000003.2349419346.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDAF0000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDAF0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW@j |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872EAEA8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF6872EAEA8 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872E97E4 GetProcessHeap, |
0_2_00007FF6872E97E4 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872EAEA8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF6872EAEA8 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872E5F18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00007FF6872E5F18 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872E65A4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF6872E65A4 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872E6594 SetUnhandledExceptionFilter, |
0_2_00007FF6872E6594 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872F3DB0 cpuid |
0_2_00007FF6872F3DB0 |
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Code function: 0_2_00007FF6872E8C8C GetSystemTimeAsFileTime, |
0_2_00007FF6872E8C8C |
Source: Yara match |
File source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |