Edit tour
Windows
Analysis Report
BRWgvKaqbg.exe
Overview
General Information
| Sample name: | BRWgvKaqbg.exerenamed because original name is a hash value |
| Original sample name: | c72e70f29d3dd8fa148df55e8e6dec43.exe |
| Analysis ID: | 1463427 |
| MD5: | c72e70f29d3dd8fa148df55e8e6dec43 |
| SHA1: | 2f182d43528f78d6d847b37b77da9a09a2ed1f0a |
| SHA256: | baff3039b9acf97084d1b853f495026c52a4c483d010901e226beb599d23df5b |
| Tags: | 32exetrojan |
| Infos: |   |
 | |
Detection
PureLog Stealer, RisePro Stealer, Vidar, zgRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RisePro Stealer
Yara detected Vidar stealer
Yara detected zgRAT
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
BRWgvKaqbg.exe (PID: 6664 cmdline: "C:\Users\ user\Deskt op\BRWgvKa qbg.exe" MD5: C72E70F29D3DD8FA148DF55E8E6DEC43) - RegAsm.exe (PID: 3636 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 6556 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - schtasks.exe (PID: 6980 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MSIUpdate rV168_fa0f 5bd4530908 1f2cfb5ab4 2e0d965f\M SIUpdaterV 168.exe" / tn "MSIUpd aterV168_f a0f5bd4530 9081f2cfb5 ab42e0d965 f HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965) 
conhost.exe (PID: 7148 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 2300 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MSIUpdate rV168_fa0f 5bd4530908 1f2cfb5ab4 2e0d965f\M SIUpdaterV 168.exe" / tn "MSIUpd aterV168_f a0f5bd4530 9081f2cfb5 ab42e0d965 f LG" /sc ONLOGON /r l HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 3148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - s7jOcwxjI7k0XEcaiYN_.exe (PID: 3920 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\spanmA 1X5YS12PoP \s7jOcwxjI 7k0XEcaiYN _.exe" MD5: C72E70F29D3DD8FA148DF55E8E6DEC43) - RegAsm.exe (PID: 6436 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 5812 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 1848 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 5240 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) 
WerFault.exe (PID: 7140 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 920 -s 264 MD5: C31336C1EFC2CCB44B4326EA793040F2) - schtasks.exe (PID: 5712 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MSIUpdate rV168_bf60 1beeeacc93 e7a6f37b80 206515f4\M SIUpdaterV 168.exe" / tn "MSIUpd aterV168_b f601beeeac c93e7a6f37 b80206515f 4 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 2820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5300 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MSIUpdate rV168_bf60 1beeeacc93 e7a6f37b80 206515f4\M SIUpdaterV 168.exe" / tn "MSIUpd aterV168_b f601beeeac c93e7a6f37 b80206515f 4 LG" /sc ONLOGON /r l HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 5388 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - hhUml7ndoUuFxb5WyDjE.exe (PID: 7148 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\spanmA 1X5YS12PoP \hhUml7ndo UuFxb5WyDj E.exe" MD5: F3D3B5411E090124197B7B6297B1D8DB) - RegAsm.exe (PID: 2792 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 3620 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - conhost.exe (PID: 5888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WerFault.exe (PID: 5656 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 148 -s 320 MD5: C31336C1EFC2CCB44B4326EA793040F2) - schtasks.exe (PID: 4464 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MSIUpdate rV168_e9e7 ec3f581e04 02136334ff a3c9b874\M SIUpdaterV 168.exe" / tn "MSIUpd aterV168_e 9e7ec3f581 e040213633 4ffa3c9b87 4 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 2820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7204 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MSIUpdate rV168_e9e7 ec3f581e04 02136334ff a3c9b874\M SIUpdaterV 168.exe" / tn "MSIUpd aterV168_e 9e7ec3f581 e040213633 4ffa3c9b87 4 LG" /sc ONLOGON /r l HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - pQuKvF5V8lUXfe4thfRR.exe (PID: 7288 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\spanmA 1X5YS12PoP \pQuKvF5V8 lUXfe4thfR R.exe" MD5: CB907B20EE4FB4389D25989D7DE466E8) - RegAsm.exe (PID: 7316 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - WerFault.exe (PID: 7352 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 288 -s 280 MD5: C31336C1EFC2CCB44B4326EA793040F2) - schtasks.exe (PID: 7400 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MSIUpdate rV168_672d 1ad293a4f8 76ddc1e7a9 24b38ed7\M SIUpdaterV 168.exe" / tn "MSIUpd aterV168_6 72d1ad293a 4f876ddc1e 7a924b38ed 7 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WerFault.exe (PID: 6180 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 664 -s 280 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- MSIUpdaterV168.exe (PID: 5952 cmdline:
C:\Program Data\MSIUp daterV168_ fa0f5bd453 09081f2cfb 5ab42e0d96 5f\MSIUpda terV168.ex e MD5: C72E70F29D3DD8FA148DF55E8E6DEC43) - RegAsm.exe (PID: 7264 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- MSIUpdaterV168.exe (PID: 3812 cmdline:
C:\Program Data\MSIUp daterV168_ fa0f5bd453 09081f2cfb 5ab42e0d96 5f\MSIUpda terV168.ex e MD5: C72E70F29D3DD8FA148DF55E8E6DEC43) - RegAsm.exe (PID: 7276 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- MSIUpdaterV168.exe (PID: 3292 cmdline:
C:\Program Data\MSIUp daterV168_ bf601beeea cc93e7a6f3 7b80206515 f4\MSIUpda terV168.ex e MD5: F3D3B5411E090124197B7B6297B1D8DB)
- MSIUpdaterV168.exe (PID: 6688 cmdline:
C:\Program Data\MSIUp daterV168_ bf601beeea cc93e7a6f3 7b80206515 f4\MSIUpda terV168.ex e MD5: F3D3B5411E090124197B7B6297B1D8DB)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
{"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "6b8642176bdf6e69e18dcef863f92aad"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| Click to see the 10 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| MALWARE_Win_zgRAT | Detects zgRAT | ditekSHen |
| |
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| Click to see the 10 entries | ||||
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Timestamp: | 06/27/24-06:44:33.165311 |
| SID: | 2046269 |
| Source Port: | 49741 |
| Destination Port: | 50500 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:07.294016 |
| SID: | 2049060 |
| Source Port: | 49706 |
| Destination Port: | 50500 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:36.355417 |
| SID: | 2046266 |
| Source Port: | 50500 |
| Destination Port: | 49755 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:26.773577 |
| SID: | 2054010 |
| Source Port: | 65207 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:26.352643 |
| SID: | 2046269 |
| Source Port: | 49723 |
| Destination Port: | 50500 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:13.142593 |
| SID: | 2046267 |
| Source Port: | 50500 |
| Destination Port: | 49706 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:07.857763 |
| SID: | 2046266 |
| Source Port: | 50500 |
| Destination Port: | 49706 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:26.793271 |
| SID: | 2054014 |
| Source Port: | 61566 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:10.977590 |
| SID: | 2046269 |
| Source Port: | 49706 |
| Destination Port: | 50500 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:23.216805 |
| SID: | 2046266 |
| Source Port: | 50500 |
| Destination Port: | 49723 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:30.039904 |
| SID: | 2046266 |
| Source Port: | 50500 |
| Destination Port: | 49741 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:30.017263 |
| SID: | 2046266 |
| Source Port: | 50500 |
| Destination Port: | 49740 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 06/27/24-06:44:33.149483 |
| SID: | 2046269 |
| Source Port: | 49740 |
| Destination Port: | 50500 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 2_2_004C6B00 | |
| Source: | Code function: | 43_2_00407E41 | |
| Source: | Code function: | 43_2_0041302D | |
| Source: | Code function: | 43_2_00407DC2 | |
| Source: | Code function: | 43_2_0040AB80 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00589BD3 | |
| Source: | Code function: | 2_2_004C6000 | |
| Source: | Code function: | 2_2_004E6770 | |
| Source: | Code function: | 2_2_00493F40 | |
| Source: | Code function: | 2_2_00431F9C | |
| Source: | Code function: | 2_2_00432022 | |
| Source: | Code function: | 2_2_004938D0 | |
| Source: | Code function: | 2_2_0044FC2F | |
| Source: | Code function: | 13_2_00DB9BD3 | |
| Source: | Code function: | 14_2_00639BD3 | |
| Source: | Code function: | 26_2_00BE9BD3 | |
| Source: | Code function: | 33_2_00C49BD3 | |
| Source: | Code function: | 42_2_00449BD3 | |
| Source: | Code function: | 43_2_00409FC0 | |
| Source: | Code function: | 43_2_00401443 | |
| Source: | Code function: | 43_2_0040E016 | |
| Source: | Code function: | 43_2_0040C039 | |
| Source: | Code function: | 43_2_004164C7 | |
| Source: | Code function: | 43_2_0040BC98 | |
| Source: | Code function: | 43_2_00416D7D | |
| Source: | Code function: | 43_2_0040D690 | |
| Source: | Code function: | 43_2_0040C6B5 | |
| Source: | Code function: | 43_2_004177D3 | |
| Source: | Code function: | 43_2_0041738D | |
| Source: | Code function: | 43_2_004169EC | |
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||