» auwbqhnpuyqn.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)

auwbqhnpuyqn.exe

TCP/IP Netstat Command

Microsoft Corporation

This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘E3Hiieo82LdCTi4W’. The file has been seen being downloaded from www.tibiaiwindbot.com.

File name:

auwbqhnpuyqn.exe

Publisher:

Microsoft Corporation

Product:

Microsoft® Windows® Operating System

Description:

TCP/IP Netstat Command

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

MD5:

046843dd95a69b087bfcf7e6317d3ef1

SHA-1:

079078e6ca116f8db4f3851a5447ddf20158a779

SHA-256:

056ade1a810058b81395cbffda0ead197af43fb704b73bf0d8ffad4746a6526b

Scanner detections:

0 / 68

Status:

Clean (as of last analysis)

Analysis date:

12/28/2024 10:15:52 AM UTC (today)

File size:

32.2 MB (33,783,296 bytes)

Product version:

6.1.7600.16385

Original file name:

netstat.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\dad6ck1amhrn9qrt\auwbqhnpuyqn.exe

File PE Metadata

Compilation timestamp:

1/10/2016 9:27:18 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

48.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

786432:ebR9K7PUvdYNcL4Lp3++9PHrLz2uxYSNJMI6C4MOKnSTgj8EagOOm:eV9QPUvdYLLp35frLLZnMI6C4MSUj8EA

Entry address:

0x1076CBE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

16.5 MB (17,255,936 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

E3Hiieo82LdCTi4W

Command:

C:\users\{user}\appdata\roaming\dad6ck1amhrn9qrt\auwbqhnpuyqn.exe

The file auwbqhnpuyqn.exe has been seen being distributed by the following URL.

http://www.tibiaiwindbot.com/windbot1090-2.7.4.exe

Scan auwbqhnpuyqn.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.