Source: 9HwMaWcccx.exe |
ReversingLabs: Detection: 44% |
Source: 9HwMaWcccx.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: 9HwMaWcccx.exe |
Source: |
Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: 9HwMaWcccx.exe |
Source: |
Binary string: C:\Windows\Start.pdb source: 9HwMaWcccx.exe |
Source: |
Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: 9HwMaWcccx.exe |
Source: 9HwMaWcccx.exe |
String found in binary or memory: http://103.239.244.218:8898/ |
Source: 9HwMaWcccx.exe |
String found in binary or memory: http://103.239.244.218:8898/1c5b7aafca5f2cef32b8aea1ded2a1e9ed7a8f4b6d7cc93d3f1b914b61ea0731a?datamo |
Source: 9HwMaWcccx.exe |
String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: 9HwMaWcccx.exe |
String found in binary or memory: http://ocsp.thawte.com0 |
Source: 9HwMaWcccx.exe |
String found in binary or memory: http://top6666.top/top/version.txt |
Source: 9HwMaWcccx.exe |
String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: 9HwMaWcccx.exe |
String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: 9HwMaWcccx.exe |
String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: 9HwMaWcccx.exe |
String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$ |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2F6F90 _Init_thread_footer,free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard, |
0_2_00007FF69C2F6F90 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2F7100 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard, |
0_2_00007FF69C2F7100 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2F6F90 _Init_thread_footer,free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard, |
0_2_00007FF69C2F6F90 |
Source: Yara match |
File source: 9HwMaWcccx.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.9HwMaWcccx.exe.7ff69c32fc80.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.9HwMaWcccx.exe.7ff69c33b5c9.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.9HwMaWcccx.exe.7ff69c33b5c9.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.9HwMaWcccx.exe.7ff69c32fc80.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1690163995.00007FF69C32E000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 9HwMaWcccx.exe PID: 7404, type: MEMORYSTR |
Source: 9HwMaWcccx.exe, type: SAMPLE |
Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.unpack, type: UNPACKEDPE |
Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: 0.0.9HwMaWcccx.exe.7ff69c32fc80.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: 0.2.9HwMaWcccx.exe.7ff69c33b5c9.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: 0.0.9HwMaWcccx.exe.7ff69c33b5c9.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: 0.2.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: 0.2.9HwMaWcccx.exe.7ff69c32fc80.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: 0.0.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C309FB0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree, |
0_2_00007FF69C309FB0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C329FD0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn, |
0_2_00007FF69C329FD0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C3097B0: DeviceIoControl, |
0_2_00007FF69C3097B0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E696A |
0_2_00007FF69C2E696A |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E6D5E |
0_2_00007FF69C2E6D5E |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2F85B0 |
0_2_00007FF69C2F85B0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E61DE |
0_2_00007FF69C2E61DE |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E65BC |
0_2_00007FF69C2E65BC |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E8230 |
0_2_00007FF69C2E8230 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2FDE20 |
0_2_00007FF69C2FDE20 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C305E20 |
0_2_00007FF69C305E20 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E6E05 |
0_2_00007FF69C2E6E05 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C300A70 |
0_2_00007FF69C300A70 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E7245 |
0_2_00007FF69C2E7245 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E6A3F |
0_2_00007FF69C2E6A3F |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C303E40 |
0_2_00007FF69C303E40 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E9AB0 |
0_2_00007FF69C2E9AB0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2FD2B0 |
0_2_00007FF69C2FD2B0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2FC690 |
0_2_00007FF69C2FC690 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E62F1 |
0_2_00007FF69C2E62F1 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E66E7 |
0_2_00007FF69C2E66E7 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2FE320 |
0_2_00007FF69C2FE320 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2FDB70 |
0_2_00007FF69C2FDB70 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2FAB50 |
0_2_00007FF69C2FAB50 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C309FB0 |
0_2_00007FF69C309FB0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E57A5 |
0_2_00007FF69C2E57A5 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2F2BA0 |
0_2_00007FF69C2F2BA0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2F139F |
0_2_00007FF69C2F139F |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E5F95 |
0_2_00007FF69C2E5F95 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C303380 |
0_2_00007FF69C303380 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C31FC10 |
0_2_00007FF69C31FC10 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2FFBD0 |
0_2_00007FF69C2FFBD0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C3077C0 |
0_2_00007FF69C3077C0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C308BC0 |
0_2_00007FF69C308BC0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2F5070 |
0_2_00007FF69C2F5070 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E585C |
0_2_00007FF69C2E585C |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E709B |
0_2_00007FF69C2E709B |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E5CD7 |
0_2_00007FF69C2E5CD7 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C3050D0 |
0_2_00007FF69C3050D0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C3020C0 |
0_2_00007FF69C3020C0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2FCD30 |
0_2_00007FF69C2FCD30 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E6124 |
0_2_00007FF69C2E6124 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2F9910 |
0_2_00007FF69C2F9910 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E650B |
0_2_00007FF69C2E650B |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: String function: 00007FF69C2E75E0 appears 47 times |
|
Source: 9HwMaWcccx.exe, 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameiQVW64.SYSH vs 9HwMaWcccx.exe |
Source: 9HwMaWcccx.exe, 00000000.00000000.1690163995.00007FF69C32E000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameiQVW64.SYSH vs 9HwMaWcccx.exe |
Source: 9HwMaWcccx.exe |
Binary or memory string: OriginalFilenameiQVW64.SYSH vs 9HwMaWcccx.exe |
Source: 9HwMaWcccx.exe, type: SAMPLE |
Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: 0.0.9HwMaWcccx.exe.7ff69c32fc80.3.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: 0.2.9HwMaWcccx.exe.7ff69c33b5c9.3.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: 0.0.9HwMaWcccx.exe.7ff69c33b5c9.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: 0.2.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: 0.2.9HwMaWcccx.exe.7ff69c32fc80.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: 0.0.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime |
Source: 9HwMaWcccx.exe |
Binary string: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZstring too longbad cast\\\.\Nal[-] \Device\Nal is already in use.[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver iqvw64e.sysntoskrnl.exe[-] Failed to get ntoskrnl.exe[-] Failed to ClearPiDDBCacheTable[-] Failed to ClearKernelHashBucketList[!] Failed to ClearMmUnloadedDrivers[<] Unloading vulnerable driver[!] Error dumping shit inside the disk[+] Vul driver data destroyed before unlink[-] Failed to translate virtual address 0x[-] Failed to map IO space of 0x[!] Failed to unmap IO space of physical address 0xExAllocatePoolWithTag[!] Failed to find ExAllocatePoolExFreePool[!] Failed to find device_object[!] Failed to find driver_object[!] Failed to find driver_section[!] Failed to find driver name[!] Failed to read driver name[!] Failed to write driver name length[+] MmUnloadedDrivers Cleaned: ExAcquireResourceExclusiveLite[!] Failed to find ExAcquireResourceExclusiveLiteExReleaseResourceLite[!] Failed to find ExReleaseResourceLiteRtlDeleteElementGenericTableAvl[!] Failed to find RtlDeleteElementGenericTableAvlRtlLookupElementGenericTableAvl[!] Failed to find RtlLookupElementGenericTableAvlxxxxxx????xxxxx????xxx????xxxxx????x????xx?x |
Source: 9HwMaWcccx.exe |
Binary string: \Device\Nal |
Source: classification engine |
Classification label: mal68.rans.winEXE@2/0@0/0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C31F770 _invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindResourceExW,LoadResource,LockResource,SizeofResource,FindResourceW,LoadResource,LockResource,SizeofResource,WideCharToMultiByte,WideCharToMultiByte, |
0_2_00007FF69C31F770 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03 |
Source: 9HwMaWcccx.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 9HwMaWcccx.exe |
ReversingLabs: Detection: 44% |
Source: unknown |
Process created: C:\Users\user\Desktop\9HwMaWcccx.exe "C:\Users\user\Desktop\9HwMaWcccx.exe" |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Section loaded: d3d11.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Section loaded: d3dcompiler_43.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Section loaded: dxgi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Section loaded: msvcp140.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Section loaded: vcruntime140_1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Section loaded: vcruntime140_1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
Source: 9HwMaWcccx.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: 9HwMaWcccx.exe |
Static file information: File size 2647552 > 1048576 |
Source: 9HwMaWcccx.exe |
Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x225c00 |
Source: 9HwMaWcccx.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 9HwMaWcccx.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 9HwMaWcccx.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 9HwMaWcccx.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 9HwMaWcccx.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 9HwMaWcccx.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 9HwMaWcccx.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: 9HwMaWcccx.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: 9HwMaWcccx.exe |
Source: |
Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: 9HwMaWcccx.exe |
Source: |
Binary string: C:\Windows\Start.pdb source: 9HwMaWcccx.exe |
Source: |
Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: 9HwMaWcccx.exe |
Source: 9HwMaWcccx.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 9HwMaWcccx.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 9HwMaWcccx.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 9HwMaWcccx.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 9HwMaWcccx.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E8140 InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort, |
0_2_00007FF69C2E8140 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C3039B1 push 8B48D68Bh; retf |
0_2_00007FF69C3039BC |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C309FB0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree, |
0_2_00007FF69C309FB0 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C32B410 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, |
0_2_00007FF69C32B410 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C32B410 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, |
0_2_00007FF69C32B410 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C309FB0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree, |
0_2_00007FF69C309FB0 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C2E8140 InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort, |
0_2_00007FF69C2E8140 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C3087A0 GetProcessHeap,_Init_thread_footer,_Init_thread_footer, |
0_2_00007FF69C3087A0 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C32A968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00007FF69C32A968 |
Source: C:\Users\user\Desktop\9HwMaWcccx.exe |
Code function: 0_2_00007FF69C32B290 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00007FF69C32B290 |