| Source: 00000000.00000002.2051307002.00000000044C0000.00000004.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: DarkGate {"C2 url": "91.222.173.80", "check_ram": false, "crypter_rawstub": "DarkGate", "crypter_dll": "R0ijS0qCVITtS0e6xeZ", "crypter_au3": 6, "flag_14": true, "crypto_key": 80, "startup_persistence": false, "flag_32": false, "anti_vm": true, "min_disk": false, "flag_18": 100, "anti_analysis": true, "min_ram": false, "flag_19": 4096, "check_disk": false, "flag_21": true, "flag_23": false, "flag_31": false, "flag_24": "new10oct", "flag_25": "x88y8y", "flag_26": false, "flag_27": "voULmQMO", "flag_28": false, "flag_29": 2, "flag_35": false} |
| Source: Submited Sample |
Integrated Neural Analysis Model: Matched 96.8% probability |
| Source: upd_1916298.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| Source: upd_1916298.exe |
Static PE information: certificate valid |
| Source: |
Binary string: C:\buildagent\work\e92649e6840d750\additions\libwapshost\obj\x86\Release_static\libwapshost.pdb source: upd_1916298.exe |
| Source: |
Binary string: C:\buildagent\work\e92649e6840d750\additions\libwapshost\obj\x86\Release_static\libwapshost.pdb\NvN hN_CorDllMainmscoree.dll source: upd_1916298.exe |
| Source: |
Binary string: wa_3rd_party_host_32.pdb source: upd_1916298.exe |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043588D0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, |
0_2_043588D0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043589D8 FindFirstFileA,GetLastError, |
0_2_043589D8 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04398A34 FindFirstFileW,FindNextFileW,FindClose, |
0_2_04398A34 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04372B90 FindFirstFileA,FindNextFileA,FindClose, |
0_2_04372B90 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043795A4 FindFirstFileW,FindNextFileW,FindClose, |
0_2_043795A4 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043A12AC FindFirstFileW,FindNextFileW,FindClose, |
0_2_043A12AC |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0439FDC0 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose, |
0_2_0439FDC0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04355934 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
0_2_04355934 |
| Source: Malware configuration extractor |
IPs: 91.222.173.80 |
| Source: Joe Sandbox View |
ASN Name: KICUA-ASGI KICUA-ASGI |
| Source: upd_1916298.exe |
String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w |
| Source: upd_1916298.exe |
String found in binary or memory: http://cevcsca2021.ocsp-certum.com07 |
| Source: upd_1916298.exe |
String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l |
| Source: upd_1916298.exe |
String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0 |
| Source: upd_1916298.exe |
String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G |
| Source: upd_1916298.exe |
String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C |
| Source: upd_1916298.exe |
String found in binary or memory: http://ocsp2.globalsign.com/rootr606 |
| Source: upd_1916298.exe |
String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0 |
| Source: upd_1916298.exe |
String found in binary or memory: http://repository.certum.pl/ctnca2.cer09 |
| Source: upd_1916298.exe |
String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0 |
| Source: upd_1916298.exe |
String found in binary or memory: http://subca.ocsp-certum.com02 |
| Source: upd_1916298.exe |
String found in binary or memory: http://www.certum.pl/CPS0 |
| Source: upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp |
String found in binary or memory: https://mail.google.com/mail/u/0/#inbox |
| Source: upd_1916298.exe |
String found in binary or memory: https://www.certum.pl/CPS0 |
| Source: upd_1916298.exe |
String found in binary or memory: https://www.globalsign.com/repository/0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436BE20 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,CloseClipboard, |
0_2_0436BE20 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04380380 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, |
0_2_04380380 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04371458 GetAsyncKeyState, |
0_2_04371458 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043792B0 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject, |
0_2_043792B0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00401093 NtAllocateVirtualMemory,NtCreateSection,NtMapViewOfSection,LoadLibraryA, |
0_2_00401093 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04370694 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount, |
0_2_04370694 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04370374 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount, |
0_2_04370374 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04399C28 NtDuplicateObject,NtClose, |
0_2_04399C28 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04399C5C NtQueryObject,NtQueryObject, |
0_2_04399C5C |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04399CB4 NtOpenProcess, |
0_2_04399CB4 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04399D04 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose, |
0_2_04399D04 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04399FA8 Sleep,TerminateThread,NtClose,NtClose, |
0_2_04399FA8 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0044F050 |
0_2_0044F050 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00409000 |
0_2_00409000 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_004470D0 |
0_2_004470D0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0041E0E0 |
0_2_0041E0E0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_004290A0 |
0_2_004290A0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_004340A0 |
0_2_004340A0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00425120 |
0_2_00425120 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00423250 |
0_2_00423250 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_004102E0 |
0_2_004102E0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0040F300 |
0_2_0040F300 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00417330 |
0_2_00417330 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_004A23F0 |
0_2_004A23F0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_004373A5 |
0_2_004373A5 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00441460 |
0_2_00441460 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00421430 |
0_2_00421430 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0041E600 |
0_2_0041E600 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00430620 |
0_2_00430620 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00427720 |
0_2_00427720 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00482720 |
0_2_00482720 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0044F840 |
0_2_0044F840 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0041F800 |
0_2_0041F800 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0042E880 |
0_2_0042E880 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0040E890 |
0_2_0040E890 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00408930 |
0_2_00408930 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00403980 |
0_2_00403980 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00428A80 |
0_2_00428A80 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00422A90 |
0_2_00422A90 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0040BBE0 |
0_2_0040BBE0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00409CF0 |
0_2_00409CF0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0041BD40 |
0_2_0041BD40 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00414D50 |
0_2_00414D50 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00426D00 |
0_2_00426D00 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00429D30 |
0_2_00429D30 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_004A0D30 |
0_2_004A0D30 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00401DF0 |
0_2_00401DF0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00421F80 |
0_2_00421F80 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00467FB0 |
0_2_00467FB0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0438443C |
0_2_0438443C |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043909F4 |
0_2_043909F4 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0438F40C |
0_2_0438F40C |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436FB8C |
0_2_0436FB8C |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: String function: 04354300 appears 72 times |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: String function: 04354324 appears 41 times |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: String function: 00408870 appears 205 times |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: String function: 004085B0 appears 32 times |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: String function: 04354354 appears 47 times |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: String function: 04377B38 appears 32 times |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: String function: 00409A30 appears 134 times |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: String function: 0042C200 appears 41 times |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: String function: 043548C4 appears 88 times |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: String function: 04354628 appears 36 times |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: String function: 04356940 appears 77 times |
|
| Source: upd_1916298.exe |
Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows |
| Source: upd_1916298.exe, 00000000.00000000.2023489319.0000000000615000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamelibwapshost.dll8 vs upd_1916298.exe |
| Source: upd_1916298.exe, 00000000.00000000.2023489319.0000000000615000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamewa_3rd_party_host_32.exe8 vs upd_1916298.exe |
| Source: upd_1916298.exe, 00000000.00000000.2023416131.00000000005AE000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: mQFileDescriptionFileVersionCommentsCompanyNameLegalTrademarksOriginalFilenameInternalNameLegalCopyrightProductVersionSpecialBuildPrivateBuildProductName\StringFileInfo\%04X%04X\%sOLESelfRegister\VarFileInfo\Translationcmd.exe /S /C "" 2> > OPSWAT" QuietDisplayNameDisplayNameSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UTCPMTZkernel32.dll%vm_idExecutablePath.+\\(.+)attempt_synchronizeactionroot\cimv2SELECT ExecutablePath,ProcessId,CommandLine from Win32_ProcessCommandLineProcessIdrunningrun<vmstate type="string">(.+?)</vmstate>vmwindow.exe%"C:\Windows\system32\VMWindow.exe"VMWindow.exe" -file "pausedsuspendC:\Windows\system32\timeout.exe /t 1SELECT CommandLine from Win32_Process where CommandLine like "%shut_downC:\Windows\system32\Taskkill.exe"C:\Windows\system32\Taskkill.exe" /PID /FremovableQHGetSigDatabaseVersionAQHGetSigDatabaseTimeQHIsAVInstalledQHIsOnAccessScanEnabledQHGetEngineVersionWQHGetEngineVersionAQHGetSigDatabaseVersionWQHInitUpdateQHIsLicenseExpiredQHGetExpDateQHEnableOnAccessScanQHFreeThreatHistoryListWQHGetThreatHistoryWQHFreeThreatHistoryListAQHGetThreatHistoryAQHGetDigitalCertSignerAQHGetAppLanguageWQHGetAppLanguageAQHIsUpdateInProgressQHGetSigDatabaseDirAQHGetProductInstallDirWQHGetProductInstallDirAQHGetDigitalCertSignerWQHInitiateFolderScanWQHInitiateFolderScanAQHInitiateFullScanQHGetSigDatabaseDirWQHIsFullScanRunningQHGetLastFullScanTimeQHInitiateFileScanWQHInitiateFileScanAQHGetSASQHStatusQHOpenScanner%s%sopswatai.dllQHChangeOnAccessScanStateSCANAPI.DLLSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SCANNER.EXE vs upd_1916298.exe |
| Source: upd_1916298.exe |
Binary or memory string: mQFileDescriptionFileVersionCommentsCompanyNameLegalTrademarksOriginalFilenameInternalNameLegalCopyrightProductVersionSpecialBuildPrivateBuildProductName\StringFileInfo\%04X%04X\%sOLESelfRegister\VarFileInfo\Translationcmd.exe /S /C "" 2> > OPSWAT" QuietDisplayNameDisplayNameSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UTCPMTZkernel32.dll%vm_idExecutablePath.+\\(.+)attempt_synchronizeactionroot\cimv2SELECT ExecutablePath,ProcessId,CommandLine from Win32_ProcessCommandLineProcessIdrunningrun<vmstate type="string">(.+?)</vmstate>vmwindow.exe%"C:\Windows\system32\VMWindow.exe"VMWindow.exe" -file "pausedsuspendC:\Windows\system32\timeout.exe /t 1SELECT CommandLine from Win32_Process where CommandLine like "%shut_downC:\Windows\system32\Taskkill.exe"C:\Windows\system32\Taskkill.exe" /PID /FremovableQHGetSigDatabaseVersionAQHGetSigDatabaseTimeQHIsAVInstalledQHIsOnAccessScanEnabledQHGetEngineVersionWQHGetEngineVersionAQHGetSigDatabaseVersionWQHInitUpdateQHIsLicenseExpiredQHGetExpDateQHEnableOnAccessScanQHFreeThreatHistoryListWQHGetThreatHistoryWQHFreeThreatHistoryListAQHGetThreatHistoryAQHGetDigitalCertSignerAQHGetAppLanguageWQHGetAppLanguageAQHIsUpdateInProgressQHGetSigDatabaseDirAQHGetProductInstallDirWQHGetProductInstallDirAQHGetDigitalCertSignerWQHInitiateFolderScanWQHInitiateFolderScanAQHInitiateFullScanQHGetSigDatabaseDirWQHIsFullScanRunningQHGetLastFullScanTimeQHInitiateFileScanWQHInitiateFileScanAQHGetSASQHStatusQHOpenScanner%s%sopswatai.dllQHChangeOnAccessScanStateSCANAPI.DLLSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SCANNER.EXE vs upd_1916298.exe |
| Source: upd_1916298.exe |
Binary or memory string: OriginalFilenamelibwapshost.dll8 vs upd_1916298.exe |
| Source: upd_1916298.exe |
Binary or memory string: OriginalFilenamewa_3rd_party_host_32.exe8 vs upd_1916298.exe |
| Source: upd_1916298.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| Source: classification engine |
Classification label: mal88.troj.spyw.evad.winEXE@6/2@0/1 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0437D924 GetLastError,FormatMessageA, |
0_2_0437D924 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04358C34 GetDiskFreeSpaceA, |
0_2_04358C34 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0435DEC0 CreateToolhelp32Snapshot, |
0_2_0435DEC0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
File created: C:\Users\user\AppData\Roaming\EFeACAf |
Jump to behavior |
| Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3424:120:WilError_03 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
File created: C:\temp\ |
Jump to behavior |
| Source: upd_1916298.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
| Source: upd_1916298.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.72% |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
| Source: upd_1916298.exe, 00000000.00000000.2023416131.00000000005AE000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); |
| Source: upd_1916298.exe, upd_1916298.exe, 00000000.00000000.2023416131.00000000005AE000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q); |
| Source: upd_1916298.exe |
String found in binary or memory: ADeinitializing RunsplacePool ...OClosing and disposing RunsplacePool ...KFinished Deinitializing RunsplacePool=debug_log_output_path.:"(.+?)"3Create Powershell engine.-Start PSInvoke. Cmd: |
| Source: unknown |
Process created: C:\Users\user\Desktop\upd_1916298.exe "C:\Users\user\Desktop\upd_1916298.exe" |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ffdbfkc\chbdcee |
|
| Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
| Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain |
|
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ffdbfkc\chbdcee |
Jump to behavior |
| Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Section loaded: apphelp.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Section loaded: version.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Section loaded: wininet.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Section loaded: wsock32.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Section loaded: winmm.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Section loaded: urlmon.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Section loaded: iertutil.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Section loaded: srvcli.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Section loaded: netutils.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Section loaded: sspicli.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: framedynos.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: sspicli.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: msxml6.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: urlmon.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: iertutil.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: srvcli.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: netutils.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: amsi.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: userenv.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: profapi.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: version.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: vbscript.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Section loaded: sxs.dll |
Jump to behavior |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Jump to behavior |
| Source: upd_1916298.exe |
Static PE information: certificate valid |
| Source: upd_1916298.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
| Source: upd_1916298.exe |
Static file information: File size 2695440 > 1048576 |
| Source: upd_1916298.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1a0000 |
| Source: upd_1916298.exe |
Static PE information: More than 200 imports for KERNEL32.dll |
| Source: upd_1916298.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
| Source: upd_1916298.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
| Source: upd_1916298.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
| Source: upd_1916298.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
| Source: upd_1916298.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
| Source: upd_1916298.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
| Source: upd_1916298.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
| Source: |
Binary string: C:\buildagent\work\e92649e6840d750\additions\libwapshost\obj\x86\Release_static\libwapshost.pdb source: upd_1916298.exe |
| Source: |
Binary string: C:\buildagent\work\e92649e6840d750\additions\libwapshost\obj\x86\Release_static\libwapshost.pdb\NvN hN_CorDllMainmscoree.dll source: upd_1916298.exe |
| Source: |
Binary string: wa_3rd_party_host_32.pdb source: upd_1916298.exe |
| Source: upd_1916298.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
| Source: upd_1916298.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
| Source: upd_1916298.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
| Source: upd_1916298.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
| Source: upd_1916298.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436C0C8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_0436C0C8 |
| Source: upd_1916298.exe |
Static PE information: section name: .didat |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_00591179 push ecx; ret |
0_2_0059118C |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0053C4D6 push ecx; ret |
0_2_0053C4E9 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04378424 push 04378450h; ret |
0_2_04378448 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0439847C push 043984C8h; ret |
0_2_043984C0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043564A4 push 043564F5h; ret |
0_2_043564ED |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043A0498 push 043A05C6h; ret |
0_2_043A05BE |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0439A484 push 0439A4B0h; ret |
0_2_0439A4A8 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436A5F0 push 0436A69Bh; ret |
0_2_0436A693 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436A5EE push 0436A69Bh; ret |
0_2_0436A693 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436A6A0 push 0436A730h; ret |
0_2_0436A728 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043566EC push 04356718h; ret |
0_2_04356710 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436A734 push 0436A760h; ret |
0_2_0436A758 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436A732 push 0436A760h; ret |
0_2_0436A758 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0439C73C push 0439C77Ch; ret |
0_2_0439C774 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0435673E push 0435676Ch; ret |
0_2_04356764 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436C774 push 0436C7ACh; ret |
0_2_0436C7A4 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04356740 push 0435676Ch; ret |
0_2_04356764 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0439C7AC push 0439C7D8h; ret |
0_2_0439C7D0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04368028 push ecx; mov dword ptr [esp], ecx |
0_2_0436802D |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436C066 push 0436C094h; ret |
0_2_0436C08C |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436C068 push 0436C094h; ret |
0_2_0436C08C |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04370128 push 04370154h; ret |
0_2_0437014C |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0439A10C push 0439A138h; ret |
0_2_0439A130 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04370160 push 0437018Ch; ret |
0_2_04370184 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043701BE push 043701ECh; ret |
0_2_043701E4 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043701C0 push 043701ECh; ret |
0_2_043701E4 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0439A2AC push 0439A2D8h; ret |
0_2_0439A2D0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043902D8 push ecx; mov dword ptr [esp], eax |
0_2_043902DA |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436CC34 push 0436CC70h; ret |
0_2_0436CC68 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04396C10 push 04396E0Bh; ret |
0_2_04396E03 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0439CC14 push 0439CCCEh; ret |
0_2_0439CCC6 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436C0C8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_0436C0C8 |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043A2064 |
0_2_043A2064 |
| Source: upd_1916298.exe, upd_1916298.exe, 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp |
Binary or memory string: SUPERANTISPYWARE.EXE |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
API coverage: 4.6 % |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043A2064 |
0_2_043A2064 |
| Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Last function: Thread delayed |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043588D0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, |
0_2_043588D0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043589D8 FindFirstFileA,GetLastError, |
0_2_043589D8 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04398A34 FindFirstFileW,FindNextFileW,FindClose, |
0_2_04398A34 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04372B90 FindFirstFileA,FindNextFileA,FindClose, |
0_2_04372B90 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043795A4 FindFirstFileW,FindNextFileW,FindClose, |
0_2_043795A4 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043A12AC FindFirstFileW,FindNextFileW,FindClose, |
0_2_043A12AC |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0439FDC0 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose, |
0_2_0439FDC0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04355934 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
0_2_04355934 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043768D0 GetSystemInfo, |
0_2_043768D0 |
| Source: upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp |
Binary or memory string: vmware |
| Source: upd_1916298.exe, upd_1916298.exe, 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp |
Binary or memory string: microsoft hyper-v video |
| Source: upd_1916298.exe, 00000000.00000002.2050990300.000000000281E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Process information queried: ProcessInformation |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_005526A5 IsDebuggerPresent,OutputDebugStringW, |
0_2_005526A5 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436C0C8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_0436C0C8 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0057C074 mov eax, dword ptr fs:[00000030h] |
0_2_0057C074 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0058061A mov eax, dword ptr fs:[00000030h] |
0_2_0058061A |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436D494 mov eax, dword ptr fs:[00000030h] |
0_2_0436D494 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436FB8C mov eax, dword ptr fs:[00000030h] |
0_2_0436FB8C |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0436FB8C mov eax, dword ptr fs:[00000030h] |
0_2_0436FB8C |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04370374 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount, |
0_2_04370374 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0053B537 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0053B537 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0056DD94 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0056DD94 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04373730 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle, |
0_2_04373730 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04373730 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle, |
0_2_04373730 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04396BA8 mouse_event,mouse_event, |
0_2_04396BA8 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ffdbfkc\chbdcee |
Jump to behavior |
| Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0053C0F0 cpuid |
0_2_0053C0F0 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
0_2_04355B0C |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: GetLocaleInfoA, |
0_2_04356430 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: GetLocaleInfoA,GetACP, |
0_2_0435CB64 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: GetLocaleInfoA, |
0_2_0435B4FC |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: GetLocaleInfoA, |
0_2_0435B548 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
0_2_04355C17 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID |
Jump to behavior |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0053C4EB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_0053C4EB |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_04376A54 GetUserNameA, |
0_2_04376A54 |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_0057D5CA _free,_free,_free,GetTimeZoneInformation,_free, |
0_2_0057D5CA |
| Source: C:\Users\user\Desktop\upd_1916298.exe |
Code function: 0_2_043564F9 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId, |
0_2_043564F9 |
| Source: upd_1916298.exe, upd_1916298.exe, 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp |
Binary or memory string: mcshield.exe |
| Source: upd_1916298.exe, upd_1916298.exe, 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp |
Binary or memory string: superantispyware.exe |
| Source: Yara match |
File source: 0.2.upd_1916298.exe.4350000.3.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.upd_1916298.exe.42f0000.2.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.upd_1916298.exe.42f0000.2.raw.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 00000000.00000002.2051199600.00000000043AE000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: Process Memory Space: upd_1916298.exe PID: 4508, type: MEMORYSTR |
| Source: Yara match |
File source: 0.2.upd_1916298.exe.4350000.3.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.upd_1916298.exe.4350000.3.raw.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.upd_1916298.exe.42f0000.2.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.upd_1916298.exe.42f0000.2.raw.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: Process Memory Space: upd_1916298.exe PID: 4508, type: MEMORYSTR |
| Source: Yara match |
File source: 0.2.upd_1916298.exe.4350000.3.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.upd_1916298.exe.42f0000.2.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 0.2.upd_1916298.exe.42f0000.2.raw.unpack, type: UNPACKEDPE |
| Source: Yara match |
File source: 00000000.00000002.2051199600.00000000043AE000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: Process Memory Space: upd_1916298.exe PID: 4508, type: MEMORYSTR |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet