Analysis Report
Overview
General Information |
---|
Analysis ID: | 58913 |
Start time: | 19:34:25 |
Start date: | 20/04/2015 |
Overall analysis duration: | 0h 4m 2s |
Report type: | full |
Sample file name: | 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe |
Cookbook file name: | VM Aware.jbs |
Analysis system description: | Windows 7 (Office 2003 SP1, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 2 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
HCA enabled: | true |
HCA success: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 60 | 0 - 100 | Report FP / FN |
Signature Overview |
---|
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | String found in binary or memory: | ||
Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | String found in binary or memory: |
Contains functionality to download additional files from the internet | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00161470 |
Remote Access Functionality: |
---|
Contains strings related to BOT control commands | Show sources |
Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | String found in binary or memory: |
Data Obfuscation: |
---|
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_0016243C |
Generates new code (likely due to unpacking of malware or shellcode) | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code execution: |
PE file contains sections with non-standard names | Show sources |
Source: initial sample | Static PE information: | ||
Source: initial sample | Static PE information: |
System Summary: |
---|
Contains functionality to enum processes or threads | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00163268 |
PE file has an executable .text section and no other executable section | Show sources |
Source: initial sample | Static PE information: |
Contains functionality to call native functions | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_0040100D | |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_0040113F | |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00401000 | |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00162087 | |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00162A28 | |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00163D6C | |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_001630B0 | |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_001620A8 | |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00162958 |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Binary or memory string: | ||
Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Binary or memory string: | ||
Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Binary or memory string: |
Contains functionality to inject code into explorer (shared memory section, SetWindowLong, SendNotifyMessage technique) | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00162A26 |
Anti Debugging: |
---|
Contains functionality to register its own exception handler | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_001645FA | |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00163A14 |
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_001633E7 |
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_0016243C |
Contains functionality which may be used to detect a debugger (GetProcessHeap) | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00161470 |
Program does not show much activity (idle) | Show sources |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: |
Malware Analysis System Evasion: |
---|
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources |
Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Binary or memory string: |
Contains capabilities to detect virtual machines | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Registry key queried: |
Found decision node followed by non-executed suspicious APIs | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Decision node followed by non-executed suspicious API: | graph_2-2063 |
Found evasive API chain (may stop execution after accessing registry keys) | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Evasive API call chain: | graph_2-2283 | ||
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Evasive API call chain: | graph_2-2283 |
Found large amount of non-executed APIs | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | API coverage: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe TID: 3220 | Thread sleep count: | ||
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe TID: 3220 | Thread sleep time: |
Program does not show much activity (idle) | Show sources |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: |
Contains functionality to generate a fingerprint of the current system | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00161B96 |
Found evasive API chain (may stop execution after checking a module file name) | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Evasive API call chain: | graph_2-1925 |
Found evasive API chain (may stop execution after checking volume information) | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Evasive API call chain: | graph_2-1928 |
Language, Device and Operating System Detection: |
---|
Contains functionality to query windows version | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00163588 |
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Qeruies volume information: |
Yara Overview |
---|
No Yara matches |
---|
Startup |
---|
|
Created / dropped Files |
---|
No created / dropped files found |
---|
Contacted Domains/Contacted IPs |
---|
Static File Info |
---|
General | |
---|---|
File type: | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
TrID: |
|
File name: | 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe |
File size: | 121856 |
MD5: | d80e956259c858eaccb53c1affaf8141 |
SHA1: | 7358e2d4879d4109c89400a4361ba8bb8e71b357 |
SHA256: | 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7 |
SHA512: | eeda45b97914e7a00e6166f2e46070faabbff45eb6957dc0052383d17d0e5137b81ba268974f34bdc4c617397ad6e5cf0e241054145cd9dff93477b30a0660c1 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40b3c9 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui 40 |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x4D6622A4 [Thu Feb 24 09:19:32 2011 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Entrypoint Preview |
---|
Instruction |
---|
cmp ecx, 0000011Ch |
je 0E2B23E5h |
jmp 0E2B23E3h |
add byte ptr [eax], al |
add byte ptr [eax], al |
std |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [esi], bl |
add byte ptr [eax], al |
add byte ptr [eax], al |
int3 |
add byte ptr [eax], al |
add byte ptr [eax], al |
dec esp |
add byte ptr [esi], bl |
add byte ptr [eax], al |
add byte ptr [ebx+00D10000h], al |
add byte ptr [eax], al |
mov dword ptr [004144ACh], edx |
cmp esi, A4600200h |
jnbe 0E2B23F2h |
jmp 0E2B23F0h |
add byte ptr [eax], al |
add byte ptr [esi+00000000h], bh |
add al, ah |
add byte ptr [eax+00h], dh |
arpl word ptr [eax], ax |
add byte ptr [eax], al |
add byte ptr [eax], al |
inc esp |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax+eax+1F000000h], bh |
add byte ptr [eax], al |
arpl word ptr [eax], ax |
jle 0E2B23C2h |
jnc 0E2B23C2h |
add byte ptr [eax], al |
iretd |
add byte ptr [eax], al |
add byte ptr [ebx+4146C83Dh], cl |
add byte ptr [ebx], bh |
cmp eax, 0041433Ch |
je 0E2B23E5h |
jmp 0E2B23E3h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [esi], cl |
add byte ptr [eax], al |
add byte ptr [eax+eax], ah |
add byte ptr [eax], al |
add byte ptr [eax], al |
stosb |
add byte ptr [eax], al |
add byte ptr [eax], al |
pop dword ptr [eax] |
add byte ptr [esi+5C000000h], cl |
add byte ptr [eax], al |
insd |
add byte ptr [eax], al |
mov ebx, dword ptr [00415228h] |
cmp ebx, dword ptr [00415228h] |
jnbe 0E2B23C2h |
cmp edi, 00000000h |
jnbe 0E2B23E5h |
jmp 0E2B23E3h |
add cl, bh |
add byte ptr [eax], al |
xchg dword ptr [eax], eax |
add byte ptr [eax], al |
add byte ptr [edi+00h], ch |
mov dl, 00h |
test al, 00h |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x325ec | 0x154 | .rdataW |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x37000 | 0x3a4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x192ac | 0x70 | .dataG |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x32000 | 0x5ec | .rdataW |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Xored PE | ZLIB Complexity | File Type | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xeb4c | 0xec00 | 6.58454534451 | False | 0.685248940678 | ump; data | IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ |
.dataG | 0x10000 | 0x21810 | 0x9a00 | 6.17317294259 | False | 0.72653713474 | ump; data | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
.rdataW | 0x32000 | 0x4d19 | 0x4e00 | 3.58893178542 | False | 0.214643429487 | ump; data | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_LNK_OVER, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
.rsrc | 0x37000 | 0x3a4 | 0x400 | 3.13216794898 | False | 0.462890625 | ump; data | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country | Nbr Of Functions | Xored PE |
---|---|---|---|---|---|---|---|
RT_VERSION | 0x37058 | 0x34c | ump; data | English | Australia | 0 | False |
Imports |
---|
DLL | Import |
---|---|
IMM32.dll | ImmConfigureIMEW, ImmIsUIMessageA, ImmRegisterWordA, ImmGetIMEFileNameW, ImmEscapeW, ImmUnlockIMC, ImmLockIMC, ImmGetCandidateListCountA, ImmSetConversionStatus, ImmGetRegisterWordStyleW, ImmNotifyIME, ImmGetCompositionFontW, ImmGetIMEFileNameA, ImmSetCompositionFontA, ImmGetCandidateListW, ImmGetImeMenuItemsW, ImmShowSoftKeyboard, ImmRequestMessageA, ImmGetCandidateWindow, ImmGetConversionListA, ImmSetCompositionFontW, ImmAssociateContextEx, ImmSetOpenStatus, ImmGetStatusWindowPos, ImmReleaseContext |
ADVPACK.dll | ExecuteCab, GetVersionFromFile, RegSaveRestore, RegSaveRestoreOnINF, IsNTAdmin, FileSaveMarkNotExist, ExtractFiles, LaunchINFSectionEx, TranslateInfStringEx, FileSaveRestore, RunSetupCommand, SetPerUserSecValues, AddDelBackupEntry, NeedRebootInit, DoInfInstall |
NTDLL.dll | NtReplyWaitReplyPort, RtlSetSecurityObject, RtlCheckRegistryKey, NtOpenSymbolicLinkObject, RtlInitializeCriticalSectionAndSpinCount, DbgUiConnectToDbg, NtSetIoCompletion, ZwDuplicateObject, ZwOpenEvent, ZwQueryKey, ZwSetSystemInformation, RtlAddAuditAccessAce, NtSetDefaultLocale, RtlLargeIntegerNegate, ZwOpenMutant, RtlSetUserFlagsHeap, RtlInitCodePageTable, RtlUpperString, RtlGetLongestNtPathLength, RtlDumpResource, ZwUnmapViewOfSection, NtCreateNamedPipeFile, NtFlushVirtualMemory, RtlPrefixUnicodeString, RtlFormatMessage, ZwSetInformationFile, ZwRegisterThreadTerminatePort, ZwCreateEvent, ZwSetIntervalProfile, NtAreMappedFilesTheSame, ZwQuerySemaphore, NtReadVirtualMemory |
WINSTA.dll | _WinStationBreakPoint, WinStationServerPing, WinStationGetProcessSid, _WinStationWaitForConnect, WinStationTerminateProcess, WinStationDisconnect, WinStationConnectW, _WinStationReadRegistry, WinStationNameFromLogonIdW, WinStationQueryInformationW, WinStationQueryLicense, WinStationOpenServerW, WinStationEnumerateA, WinStationFreeMemory, _WinStationNotifyNewSession, _WinStationShadowTargetSetup, _WinStationNotifyLogon, WinStationReset, WinStationQueryInformationA, WinStationEnumerateLicenses, ServerGetInternetConnectorStatus, LogonIdFromWinStationNameW, WinStationOpenServerA, _WinStationCallback, WinStationRenameA |
KERNEL32.dll | ExitProcess, _lwrite, IsDBCSLeadByteEx, ContinueDebugEvent, FindResourceExW, EnumResourceLanguagesW |
SECUR32.dll | LsaLogonUser, EncryptMessage, AcquireCredentialsHandleW, EnumerateSecurityPackagesW, InitSecurityInterfaceW, LsaDeregisterLogonProcess, ExportSecurityContext, EnumerateSecurityPackagesA, SaslEnumerateProfilesA, SaslInitializeSecurityContextA, LsaUnregisterPolicyChangeNotification, CompleteAuthToken, InitializeSecurityContextA, FreeCredentialsHandle, LsaFreeReturnBuffer, SaslInitializeSecurityContextW, LsaCallAuthenticationPackage, SaslGetProfilePackageW, AcquireCredentialsHandleA, GetComputerObjectNameA, QuerySecurityPackageInfoW, GetComputerObjectNameW, QueryContextAttributesW, TranslateNameW |
USER32.dll | ImpersonateDdeClientWindow |
NETAPI32.dll | NetFileGetInfo, NetServerTransportEnum, NetMessageNameEnum, NetDfsEnum, NetWkstaUserEnum, NetQueryDisplayInformation, NetWkstaUserSetInfo, NetLocalGroupDel, NetReplSetInfo, NetConfigGetAll, NetGroupDelUser, NetUserEnum, NetUserModalsSet, NetAlertRaise, NetGroupEnum, I_BrowserQueryStatistics, NetUserSetGroups, NetLocalGroupSetInfo, NetLocalGroupDelMembers, NetLocalGroupEnum, NetDfsGetDcAddress, NetReplImportDirLock, NetWkstaTransportAdd, NetGroupDel, NetServerTransportDel, NetScheduleJobAdd, NetApiBufferAllocate, NetUserGetGroups, DsEnumerateDomainTrustsW |
MSCMS.dll | GetColorProfileFromHandle, CheckBitmapBits, CreateProfileFromLogColorSpaceW, InternalGetPS2CSAFromLCS, InternalGetPS2PreviewCRD, SelectCMM, GetColorProfileElementTag, IsColorProfileValid, EnumColorProfilesA, GetPS2ColorSpaceArray, SetStandardColorSpaceProfileW, SetColorProfileElementSize, RegisterCMMA, GetPS2ColorRenderingDictionary, EnumColorProfilesW, GetColorDirectoryW, UninstallColorProfileW, UnregisterCMMA, SpoolerCopyFileEvent, IsColorProfileTagPresent, GetStandardColorSpaceProfileA, ConvertColorNameToIndex, OpenColorProfileA, SetColorProfileElement, GetColorDirectoryA, CreateColorTransformA, DisassociateColorProfileFromDeviceA, CreateProfileFromLogColorSpaceA |
PDH.dll | PdhVbAddCounter, PdhGetDefaultPerfObjectA, PdhVbCreateCounterPathList, PdhBrowseCountersW, PdhGetRawCounterValue, PdhGetCounterInfoW, PdhGetFormattedCounterArrayA, PdhGetCounterInfoA, PdhVbGetCounterPathElements, PdhLookupPerfNameByIndexW, PdhOpenQueryA, PdhExpandCounterPathA, PdhParseInstanceNameW, PdhEnumObjectsA, PdhIsRealTimeQuery, PdhRemoveCounter, PdhCloseLog, PdhComputeCounterStatistics, PdhGetDataSourceTimeRangeA, PdhParseInstanceNameA, PdhUpdateLogFileCatalog, PdhEnumObjectItemsA, PdhVbIsGoodStatus, PdhSetQueryTimeRange, PdhCollectQueryData |
WINSPOOL.drv | FindFirstPrinterChangeNotification, DeletePortA, EnumFormsA, PlayGdiScriptOnPrinterIC, QueryColorProfile, AddPrinterDriverA, EnumPrintersW, GetSpoolFileHandle, SetPortW, SetFormA, QueryRemoteFonts, DocumentPropertySheets, GetDefaultPrinterW, DeviceMode, SetPrinterDataExW, DeletePrinterDriverExA, OpenPrinterA, DeletePrinter, SetJobA, StartPagePrinter, SpoolerDevQueryPrintW, GetPrintProcessorDirectoryA, AddFormW, DeleteMonitorW, StartDocDlgA, AddPrinterDriverExW, EnumPortsW, FreePrinterNotifyInfo, DeletePrinterKeyA, DeletePrinterDataW, DevQueryPrint |
SHLWAPI.dll | SHOpenRegStreamA, SHDeleteOrphanKeyA, PathStripPathA, PathIsSystemFolderW, SHEnumValueA, PathMakePrettyA, UrlCompareW, PathGetCharTypeW, SHRegCloseUSKey, StrFormatKBSizeA, SHEnumKeyExA, StrCatW, PathFileExistsW, StrNCatA, PathIsDirectoryW, StrFromTimeIntervalW, PathIsUNCA, PathAddExtensionA, PathSearchAndQualifyW, PathCommonPrefixW, SHQueryValueExA, PathRemoveBackslashA, StrCmpIW, ChrCmpIA, AssocQueryStringByKeyA, PathCommonPrefixA, StrSpnW, StrChrIW, StrStrIW, StrCmpW, SHDeleteOrphanKeyW |
QUERY.dll | CICreateCommand, DoneCIPerformanceData, LocateCatalogsA, SetupCacheEx, BindIFilterFromStorage, InitializeCIPerformanceData, CIState, CITextToSelectTreeEx, CITextToFullTree, SetupCache, CITextToSelectTree, BeginCacheTransaction, SvcEntry_CiSvc, CollectCIISAPIPerformanceData, SetCatalogState, InitializeFILTERPerformanceData, CITextToFullTreeEx, BindIFilterFromStream, CIBuildQueryNode, InitializeCIISAPIPerformanceData, LoadTextFilter |
MPR.dll | WNetGetUserW, WNetEnumResourceA, WNetGetUserA, WNetGetUniversalNameW, WNetGetConnectionA, WNetGetConnectionW, WNetEnumResourceW, WNetGetResourceParentA, WNetCancelConnectionA, WNetConnectionDialog, WNetGetResourceInformationW, WNetGetLastErrorW, WNetGetNetworkInformationA, WNetCancelConnection2W, WNetCancelConnectionW, WNetCancelConnection2A, WNetDisconnectDialog, WNetOpenEnumW, WNetAddConnection3A, WNetGetLastErrorA, WNetCloseEnum, WNetAddConnectionW, WNetOpenEnumA |
CLUSAPI.dll | ClusterNetworkControl, GetClusterNetInterface, ClusterNetworkEnum, CreateClusterNotifyPort, CreateClusterGroup, ClusterResourceOpenEnum, ClusterRegEnumValue, ClusterRegCloseKey, RegisterClusterNotify, ClusterRegQueryInfoKey, GetClusterNetworkKey, GetClusterNodeId, ClusterOpenEnum, GetClusterGroupState, GetClusterNodeKey |
WINMM.dll | mmioSetInfo, midiInReset, midiInGetErrorTextW, midiOutGetID, auxGetDevCapsW, mmioAscend, mciSendCommandA, midiOutGetErrorTextA, midiOutGetVolume, mmioAdvance, mixerGetControlDetailsA, mciGetDriverData, joyGetPosEx, NotifyCallbackData, midiDisconnect, DrvGetModuleHandle, SendDriverMessage, mixerMessage, mciDriverYield, waveOutGetPitch, joyConfigChanged, mmioSeek, PlaySoundA, waveOutGetErrorTextA, waveOutGetID, waveOutGetVolume, midiInGetErrorTextA, mixerClose, mciLoadCommandResource, joySetThreshold, waveInGetNumDevs, mixerGetLineControlsW |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | 1999 |
InternalName | Obyhi |
FileVersion | 4, 8, 2 |
CompanyName | Max Secure Software www.maxpcsecure.com |
LegalTrademarks | Ejecogu Vor Yjydo Efab Bam Ocadode Yzamop |
ProductName | Avukab |
ProductVersion | 4 |
FileDescription | Yfak Ehocaqi Adimy |
OriginalFilename | Gdgkcdowg.exe |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | Australia |
Network Behavior |
---|
No network behavior found |
---|
Hooks - Code Manipulation Behavior |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 19:35:28 |
Start date: | 10/03/2015 |
Path: | C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x755d0000 |
File size: | 121856 bytes |
MD5 hash: | D80E956259C858EACCB53C1AFFAF8141 |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 8.7% |
Dynamic/Decrypted Code Coverage: | 99% |
Signature Coverage: | 33% |
Total number of Nodes: | 775 |
Total number of Limit Nodes: | 2 |
Executed Functions |
---|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|