Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 3836 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: ED7E56BB217C2448AD3B61F5BFD83E16) - conhost.exe (PID: 3576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | Binary or memory string: | memstr_40c172d8-c |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Long String: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Base64 encoded string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | String found in binary or memory: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Malware Analysis System Evasion |
---|
Source: | Binary or memory string: |
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 111 Security Software Discovery | Remote Services | 1 Archive Collected Data | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Data from Local System | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Timestomp | NTDS | 1 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
72.5.42.222 | unknown | United States | 16769 | UNASSIGNED | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1524653 |
Start date and time: | 2024-10-03 03:25:12 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 31s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | MAL |
Classification: | mal56.spyw.evad.winEXE@2/2@0/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Not all processes where analyzed, report is missing behavior information
- Skipping network analysis since amount of network traffic is too extensive
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
72.5.42.222 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
UNASSIGNED | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | PayPal Phisher | Browse |
|
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12 |
Entropy (8bit): | 3.251629167387823 |
Encrypted: | false |
SSDEEP: | 3:uV7:uV7 |
MD5: | 5BA3109591C14902B71103BD5C0250B7 |
SHA1: | 349484696FECDB27731E44B60010FE8489BCC610 |
SHA-256: | 8943D6990D95AA6E028EFB24648884F9C29125785F07BDE47134979D21B445CF |
SHA-512: | B28919F85AD9C80C2DDF614B2B1AF6B6E3119FCF1778E15FF3F89FBCAB13A4DC87B80020D56FAA2A2CEE11B197E556E72098473C6156E46C565C8FAA3EA6AEAA |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 352256 |
Entropy (8bit): | 4.8740045721641545 |
Encrypted: | false |
SSDEEP: | 3072:YMPzUfhHQzO0rYJwudIDZ08lxJ/qEz/zWPbi4h3P5NdrRH44sYnWjoNcdhCPsw7S:WHQaXdIDZ0O5z/zMKug |
MD5: | FEB9621DD938083A9474C9BEC4BF3BD4 |
SHA1: | 2AE0DB9361EFBC9F673AADA57C87537C6CE25039 |
SHA-256: | 134B1F9F0F0C344EAA58092DEF1D104711732D5246C5EEA2E30B96785444FC72 |
SHA-512: | 4D3196855725199920F821F8ED6EDECCCB7501589828E367DA46EA8C6C2ED8C48BDCA98F4BDFB12AA09EE5C06A60121D7488293E33DA434E82D08D9C12BCB907 |
Malicious: | false |
Antivirus: |
|
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.833180945394466 |
TrID: |
|
File name: | file.exe |
File size: | 2'427'392 bytes |
MD5: | ed7e56bb217c2448ad3b61f5bfd83e16 |
SHA1: | 92d994024ff61db1726d0ace38e6b4f22a8ef522 |
SHA256: | 36214001aad5a561e3e8e17334adb7e507f937510978302c860df84ec647be2b |
SHA512: | 4a7aa240a034023e4453cbd4b408b977431912132a4dd058f60d39a8d13547f7cfb2cb7e0666ac4401c6a490e1cb214af7c6d9d4c95037f638c817b302f59b33 |
SSDEEP: | 49152:n1EofVNQzBWKHqP6qhw6rb1eNhuQk/FJjnDViNgi:n1EofCqhw6rb1eNhuln0gi |
TLSH: | 1FB58D6A77A811C5D1BBD13DC587471BEAB274550330A7CF05A486AA2F23BEA5E3F310 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.............4..Q....4.......4.......1.......1.......1.......1.......4...............0.......0.......0......Rich........... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x140005ecf |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66FD572D [Wed Oct 2 14:22:37 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 6488053962cbd82251db464b97b3cf51 |
Instruction |
---|
jmp 00007EFC54EF233Dh |
jmp 00007EFC54EDCA18h |
jmp 00007EFC54F56B43h |
jmp 00007EFC54F803AAh |
jmp 00007EFC54EE6FE1h |
jmp 00007EFC54F6A894h |
jmp 00007EFC54F2664Bh |
jmp 00007EFC54E41D2Eh |
jmp 00007EFC54E1F469h |
jmp 00007EFC54E07E44h |
jmp 00007EFC54EA015Fh |
jmp 00007EFC54F8BEFAh |
jmp 00007EFC54EF8A8Dh |
jmp 00007EFC54DF0970h |
jmp 00007EFC54F12C0Bh |
jmp 00007EFC54EBD976h |
jmp 00007EFC54F810D9h |
jmp 00007EFC54F4ED38h |
jmp 00007EFC54F35F5Fh |
jmp 00007EFC54EB6BA2h |
jmp 00007EFC54F2712Dh |
jmp 00007EFC54EB68F8h |
jmp 00007EFC54EF89E7h |
jmp 00007EFC54F0507Eh |
jmp 00007EFC54F14E49h |
jmp 00007EFC54F3A004h |
jmp 00007EFC54EE9B93h |
jmp 00007EFC54DEF0FAh |
jmp 00007EFC54F8E085h |
jmp 00007EFC54F250CCh |
jmp 00007EFC54ED2983h |
jmp 00007EFC54F5E302h |
jmp 00007EFC54E3BA51h |
jmp 00007EFC54ED2788h |
jmp 00007EFC54EEE9BBh |
jmp 00007EFC54F59AAAh |
jmp 00007EFC54F4EB15h |
jmp 00007EFC54EDF70Ch |
jmp 00007EFC54F193AFh |
jmp 00007EFC54ED8C56h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x24fbd0 | 0x78 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x239000 | 0x13a4c | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x255000 | 0x1828 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x209340 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x20aa20 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2091c0 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x24f000 | 0xbd0 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1dadeb | 0x1dae00 | 10a6d7ad3ff35e8016eb80224a048754 | False | 0.34828706978810214 | data | 5.697633872285412 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x1dc000 | 0x553fb | 0x55400 | 00cc44b0b3032f83001650a59af046fd | False | 0.2979804343841642 | DIY-Thermocam raw data (Lepton 3.x), scale 29298-28530, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 2361183241434822606848.000000, slope 18056348397753959481006358528.000000 | 4.88354001059169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x232000 | 0x68e0 | 0x3a00 | 9b27573eb65d809520a2a4d49c8b8385 | False | 0.130859375 | data | 3.112707803326104 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x239000 | 0x15aec | 0x15c00 | b4727c49c34746c0875efa255203cf5b | False | 0.49016702586206895 | data | 5.87110131093572 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.idata | 0x24f000 | 0x2ed1 | 0x3000 | 906ce74aac2163d3fd2658373db52d63 | False | 0.24951171875 | data | 4.029686692197833 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.tls | 0x252000 | 0x309 | 0x400 | c573bd7cea296a9c5d230ca6b5aee1a6 | False | 0.021484375 | data | 0.011173818721219527 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.00cfg | 0x253000 | 0x175 | 0x200 | 77b66dfefd19366e7812c31a2435dc31 | False | 0.0703125 | data | 0.41168091652472194 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.fptable | 0x254000 | 0x233 | 0x400 | 0f343b0931126a20f133d67c2b018a3b | False | 0.0166015625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x255000 | 0x3341 | 0x3400 | 5aed6357a8902b771fcbf4f252033ffa | False | 0.19005408653846154 | data | 3.376969983481898 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
CRYPT32.dll | CertGetNameStringW, CryptQueryObject, CertFindExtension, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateChain, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryW, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertCreateCertificateChainEngine, CertOpenStore |
ADVAPI32.dll | CryptImportKey, CryptDestroyKey, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, CryptEncrypt |
WS2_32.dll | connect, getsockopt, gethostname, ioctlsocket, sendto, recvfrom, freeaddrinfo, getaddrinfo, listen, htonl, accept, select, __WSAFDIsSet, WSAIoctl, socket, setsockopt, recv, htons, getsockname, send, getpeername, bind, WSACleanup, WSAStartup, inet_ntop, WSASetLastError, ntohs, inet_pton, WSAGetLastError, closesocket, WSAWaitForMultipleEvents, WSASetEvent, WSAResetEvent, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent |
bcrypt.dll | BCryptGenRandom |
KERNEL32.dll | WriteConsoleW, HeapSize, OutputDebugStringW, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, SetConsoleCtrlHandler, SetEndOfFile, SetStdHandle, HeapReAlloc, GetTimeZoneInformation, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, VirtualProtect, IsThreadAFiber, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, HeapFree, HeapAlloc, GetConsoleOutputCP, ReadConsoleW, GetConsoleMode, GetCommandLineW, GetCommandLineA, SetFilePointerEx, GetModuleHandleExW, FreeLibraryAndExitThread, ResumeThread, GetEnvironmentVariableW, SetEnvironmentVariableW, SetCurrentDirectoryW, GetCurrentDirectoryW, CreateDirectoryW, CreateFileW, DeleteFileW, GetFileAttributesW, GetFileSize, ReadFile, RemoveDirectoryW, WriteFile, IsDebuggerPresent, CloseHandle, GetLastError, SetLastError, SetNamedPipeHandleState, CreateNamedPipeW, InitializeConditionVariable, SetEvent, ResetEvent, ReleaseMutex, WaitForSingleObject, CreateMutexW, CreateEventW, CreateEventExW, CreateWaitableTimerExW, Sleep, WaitForMultipleObjects, GetCurrentProcess, GetCurrentProcessId, ExitProcess, GetCurrentThread, GetCurrentThreadId, SetThreadPriority, CreateProcessA, ProcessIdToSessionId, GetProcessId, OpenProcess, GetProcessHandleCount, SetProcessPriorityBoost, GetSystemInfo, GetSystemTime, SetSystemTime, GetLogicalProcessorInformation, GetSystemTimePreciseAsFileTime, CreateFileMappingW, OpenFileMappingW, MapViewOfFile, MapViewOfFileEx, UnmapViewOfFile, OpenJobObjectW, AssignProcessToJobObject, SetInformationJobObject, GetModuleFileNameW, GetModuleHandleW, GlobalAlloc, GlobalFree, LocalAlloc, LocalFree, SetProcessAffinityMask, QueryFullProcessImageNameW, RegisterWaitForSingleObject, FreeConsole, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceFrequency, GetSystemDirectoryW, FreeLibrary, GetProcAddress, LoadLibraryW, SleepEx, QueryPerformanceCounter, GetTickCount, MultiByteToWideChar, WideCharToMultiByte, MoveFileExW, WaitForSingleObjectEx, GetEnvironmentVariableA, GetStdHandle, GetFileType, PeekNamedPipe, VerSetConditionMask, GetModuleHandleA, VerifyVersionInfoW, GetFileSizeEx, FormatMessageA, GetLocaleInfoEx, ReleaseSRWLockShared, AcquireSRWLockShared, TryAcquireSRWLockExclusive, TryAcquireSRWLockShared, SleepConditionVariableSRW, GetTickCount64, GetStringTypeW, FindClose, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetDiskFreeSpaceExW, GetFileAttributesExW, GetFileInformationByHandle, GetFinalPathNameByHandleW, GetFullPathNameW, SetFileAttributesW, SetFileInformationByHandle, SetFileTime, GetTempPathW, AreFileApisANSI, DeviceIoControl, CreateDirectoryExW, CopyFileW, CreateHardLinkW, GetFileInformationByHandleEx, CreateSymbolicLinkW, InitOnceExecuteOnce, CreateSemaphoreExW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetSystemTimeAsFileTime, FreeLibraryWhenCallbackReturns, CreateThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolWait, SetThreadpoolWait, CloseThreadpoolWait, EncodePointer, DecodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, WakeAllConditionVariable, GetStartupInfoW, InitializeSListHead, ExitThread, RtlPcToFileHeader, RaiseException, RtlUnwindEx, InterlockedPushEntrySList, InterlockedFlushSList, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetDriveTypeW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, CreateThread, RtlUnwind |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 21:26:20 |
Start date: | 02/10/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff76bc10000 |
File size: | 2'427'392 bytes |
MD5 hash: | ED7E56BB217C2448AD3B61F5BFD83E16 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 21:26:20 |
Start date: | 02/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6ee680000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |