Windows
Analysis Report
ring.exe
Overview
General Information
Detection
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
ring.exe (PID: 6300 cmdline:
"C:\Users\ user\Deskt op\ring.ex e" MD5: DEC85DE31C5A9E3754AB0FCFED8A3E79) cmd.exe (PID: 2460 cmdline:
"C:\Window s\System32 \cmd.exe" /c powersh ell -Comma nd "Add-Mp Preference -Exclusio nPath 'C:\ Users\user \AppData\R oaming\Win _24230\rin g.exe'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 5976 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 2928 cmdline:
powershell -Command "Add-MpPre ference -E xclusionPa th 'C:\Use rs\user\Ap pData\Roam ing\Win_24 230\ring.e xe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) WmiPrvSE.exe (PID: 7272 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
ring.exe (PID: 7464 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Win_24230 \ring.exe" MD5: DEC85DE31C5A9E3754AB0FCFED8A3E79)
ring.exe (PID: 7544 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Win_24230 \ring.exe" MD5: DEC85DE31C5A9E3754AB0FCFED8A3E79)
- cleanup
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-19T20:36:17.886678+0100 | 2020315 | 1 | A Network Trojan was detected | 192.168.2.7 | 49707 | 24.152.39.13 | 55417 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-19T20:36:18.601634+0100 | 2020316 | 1 | A Network Trojan was detected | 24.152.39.13 | 55417 | 192.168.2.7 | 49707 | TCP |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | DNS query: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior | ||
Source: | File opened / queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File opened: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 Registry Run Keys / Startup Folder | 12 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Network Share Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Registry Run Keys / Startup Folder | 1 Disable or Modify Tools | LSASS Memory | 111 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 12 Process Injection | NTDS | 31 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 12 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 System Network Configuration Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 11 System Information Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
18% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
adsklbb.org | 24.152.39.13 | true | true | unknown | |
api64.ipify.org | 104.237.62.213 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
154.205.156.20 | unknown | Seychelles | 26484 | IKGUL-26484US | false | |
104.237.62.213 | api64.ipify.org | United States | 18450 | WEBNXUS | false | |
24.152.39.13 | adsklbb.org | unknown | 270564 | MasterDaWebBR | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1558818 |
Start date and time: | 2024-11-19 20:35:12 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 23s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 18 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | ring.exe |
Detection: | MAL |
Classification: | mal84.spyw.evad.winEXE@9/9@2/3 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, WMIADAP.exe, SIHCl ient.exe, SgrmBroker.exe, conh ost.exe, svchost.exe - Excluded domains from analysis
(whitelisted): otelrules.azur eedge.net, slscr.update.micros oft.com, ctldl.windowsupdate.c om, time.windows.com, fe3cr.de livery.mp.microsoft.com - Execution Graph export aborted
for target ring.exe, PID 6300 because there are no executed function - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtCreateKey calls foun d. - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtProtectVirtualMemory calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found. - VT rate limit hit for: ring.e
xe
Time | Type | Description |
---|---|---|
14:36:15 | API Interceptor | |
14:36:16 | API Interceptor | |
20:36:19 | Autostart | |
20:36:28 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
104.237.62.213 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse | |||
Get hash | malicious | Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer | Browse | |||
Get hash | malicious | LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, Xmrig | Browse | |||
Get hash | malicious | LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Stealc | Browse | |||
Get hash | malicious | LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz | Browse | |||
Get hash | malicious | LummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, Stealc | Browse | |||
Get hash | malicious | LummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRAT | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
api64.ipify.org | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | PrivateLoader, Stealc, Vidar | Browse |
| ||
Get hash | malicious | RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5Systemz | Browse |
| ||
Get hash | malicious | LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz | Browse |
| ||
Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
MasterDaWebBR | Get hash | malicious | AsyncRAT, PureLog Stealer, zgRAT | Browse |
| |
Get hash | malicious | AsyncRAT, PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Clipboard Hijacker, Quasar | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
IKGUL-26484US | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
WEBNXUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | DarkComet, DarkTortilla, Neshta | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | PrivateLoader, Stealc, Vidar | Browse |
|
Process: | C:\Users\user\Desktop\ring.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 200 |
Entropy (8bit): | 5.103507445471441 |
Encrypted: | false |
SSDEEP: | 3:ocsHUq8dUV2hcFfL8/jBK8hv1xu9wr0qpE11MGNstDUrZOFdNIAzXPCTK/1VWC:oHW9hcxLs9vHFrRqCwZOFPIAzXIel |
MD5: | 22868ABF80E396FB8A7C5F27A82A2C4E |
SHA1: | 398C626F408A701A3B83A97C6555E7F26ECBA1DD |
SHA-256: | FDCC20DF3C1D998528B44D2FE027B492BA0206CAAD704E719946F9DF44E86499 |
SHA-512: | 866347B8E2C7B04D8FE27433D4389B780591F65102F4E30A1DDFE545BE17E7B976907C9C8496D8CA2EE5A056711C6734FBB1E2E3A8761285E1B9E6D607DA18D8 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2232 |
Entropy (8bit): | 5.380747059108785 |
Encrypted: | false |
SSDEEP: | 48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZSUyus:lGLHxvIIwLgZ2KRHWLOugEs |
MD5: | 98BD0A3DBC29BD9486474C3069740CE0 |
SHA1: | D2D2389EC77D5C090CB7A232747C1E74CD2F3346 |
SHA-256: | 0BDF783C058C98376CF0951AEB1A960CD03118E836EAFE4977BB5B616AB368E9 |
SHA-512: | 17B166F024D169FDF4F7F5AC95A53A1380E625B496A0CA04392A7E2538D73F3F8FB70585C6CFC0DA05CD50B45EDDC7B04321B3816D39FE4261F547D6FA900CDC |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\ring.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 17488384 |
Entropy (8bit): | 4.786504001985185 |
Encrypted: | false |
SSDEEP: | 49152:3h+ZMbgw1VoIj5CSYS9o9IpHiYXcaXoMx+q2zAkcq085zXnCC7CWRUFGwhnb1b:3h+ZYD5DXc6oMx7CAkL0iz3T8T1b |
MD5: | DEC85DE31C5A9E3754AB0FCFED8A3E79 |
SHA1: | B47C8F4918518F1538842B5B12BC5DCBEA5C3D59 |
SHA-256: | FA4F6DA9EA8ACA025D129328CE57B36343A1BC8796D1846D02157D2242F904A8 |
SHA-512: | 34831FF6C2571F0354BD5958A036A0030C85CAB0C6DCB47C881CB366A47ADF20741D6A473BE369C20A1535FDE380F0BE6BC53C5EDB96D4729A92D4BBF47BF0AA |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\ring.exe |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Preview: |
Process: | C:\Users\user\Desktop\ring.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12 |
Entropy (8bit): | 2.8553885422075336 |
Encrypted: | false |
SSDEEP: | 3:tR6r:k |
MD5: | 2859916D3768B8859995F1AB7D03A74C |
SHA1: | 0531F9B1D851BBA2E56C3DDC8B2B173C30E5117F |
SHA-256: | AC19D06F24FE1D63584CA24CF2F30F99A45AE7AFC9AFC9A2F58754B19AC175CD |
SHA-512: | F26287C42157ED198417540B90685C008B15E127BF48117922BDFA8DD42A4A0489D72F11DAC89F22685021C625BF257D430A3901AFB72DF78381E3FEEB1C12AE |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 4.786504001985185 |
TrID: |
|
File name: | ring.exe |
File size: | 17'488'384 bytes |
MD5: | dec85de31c5a9e3754ab0fcfed8a3e79 |
SHA1: | b47c8f4918518f1538842b5b12bc5dcbea5c3d59 |
SHA256: | fa4f6da9ea8aca025d129328ce57b36343a1bc8796d1846d02157d2242f904a8 |
SHA512: | 34831ff6c2571f0354bd5958a036a0030c85cab0c6dcb47c881cb366a47adf20741d6a473be369c20a1535fde380f0be6bc53c5edb96d4729a92d4bbf47bf0aa |
SSDEEP: | 49152:3h+ZMbgw1VoIj5CSYS9o9IpHiYXcaXoMx+q2zAkcq085zXnCC7CWRUFGwhnb1b:3h+ZYD5DXc6oMx7CAkL0iz3T8T1b |
TLSH: | 2907B20A594AD025D6E10FF6E835F29CD826FF381B94842D45523ABA49F34E12D2EF37 |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | 1c0d51316e630605 |
Entrypoint: | 0x8a7254 |
Entrypoint Section: | .itext |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x673CD9EA [Tue Nov 19 18:33:14 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 5d836336e2a3e8a72b29dc47ad486ef9 |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFF0h |
push ebx |
mov eax, 00896CA8h |
call 00007FB1D43B9E58h |
mov ebx, dword ptr [008BA2B8h] |
mov eax, dword ptr [ebx] |
call 00007FB1D45C856Bh |
mov eax, dword ptr [ebx] |
xor edx, edx |
call 00007FB1D45CA54Eh |
mov eax, dword ptr [ebx] |
mov byte ptr [eax+6Fh], 00000000h |
mov ecx, dword ptr [008BA7D0h] |
mov eax, dword ptr [ebx] |
mov edx, dword ptr [008903C8h] |
call 00007FB1D45C8561h |
mov ecx, dword ptr [008BA154h] |
mov eax, dword ptr [ebx] |
mov edx, dword ptr [0088F6A4h] |
call 00007FB1D45C854Eh |
mov eax, dword ptr [ebx] |
call 00007FB1D45C86A7h |
pop ebx |
call 00007FB1D43B1F8Dh |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x4c8000 | 0x6d | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4c3000 | 0x3bcc | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x534000 | 0xb87600 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x4cb000 | 0x68d24 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x4ca000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x4c3a78 | 0x938 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x4c7000 | 0xcba | .didata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x4a23cc | 0x4a2400 | f5f8ccda1a307202c6c7962e04af99d2 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.itext | 0x4a4000 | 0x32b4 | 0x3400 | 28a473619959e8561758d252642b3183 | False | 0.5259164663461539 | data | 6.3031884940201675 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x4a8000 | 0x12a84 | 0x12c00 | 930d0cb7a6adeaccbda21771572e6a2e | False | 0.4514453125 | data | 5.254698117597858 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0x4bb000 | 0x7bac | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x4c3000 | 0x3bcc | 0x3c00 | 2a38558d252082e4fa9717c35f8fe828 | False | 0.3294270833333333 | data | 5.073982386819174 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didata | 0x4c7000 | 0xcba | 0xe00 | 65241c26d81e8679f0b722e763e353c2 | False | 0.3267299107142857 | data | 4.132414128380479 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.edata | 0x4c8000 | 0x6d | 0x200 | 58c891240fa923bc27c6a3cdaf9979ad | False | 0.171875 | data | 1.2878106550381676 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.tls | 0x4c9000 | 0x58 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x4ca000 | 0x5d | 0x200 | 4b43cedfc39507543d7798c37294f9bd | False | 0.189453125 | data | 1.383131954273433 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x4cb000 | 0x68d24 | 0x68e00 | e7b8d97ed50e19b38175fa9966b51078 | False | 0.5448194465137068 | data | 6.701719733741433 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0x534000 | 0xb87600 | 0xb87600 | 932cd71749c3e8638c2ec7cd9a23da31 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_CURSOR | 0x535ab0 | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | English | United States | 0.38636363636363635 |
RT_CURSOR | 0x535be4 | 0x134 | data | English | United States | 0.4642857142857143 |
RT_CURSOR | 0x535d18 | 0x134 | data | English | United States | 0.4805194805194805 |
RT_CURSOR | 0x535e4c | 0x134 | data | English | United States | 0.38311688311688313 |
RT_CURSOR | 0x535f80 | 0x134 | data | English | United States | 0.36038961038961037 |
RT_CURSOR | 0x5360b4 | 0x134 | data | English | United States | 0.4090909090909091 |
RT_CURSOR | 0x5361e8 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | English | United States | 0.4967532467532468 |
RT_ICON | 0x53631c | 0x294 | PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced | English | United States | 1.0166666666666666 |
RT_ICON | 0x5365b0 | 0x2fa | PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced | English | United States | 1.0144356955380578 |
RT_ICON | 0x5368ac | 0x3ee | PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced | English | United States | 1.010934393638171 |
RT_ICON | 0x536c9c | 0x596 | PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced | English | United States | 1.0076923076923077 |
RT_ICON | 0x537234 | 0x6b8 | PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced | English | United States | 1.0063953488372093 |
RT_ICON | 0x5378ec | 0x81f | PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced | English | United States | 1.0052910052910053 |
RT_ICON | 0x53810c | 0x9f5 | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0043154178109062 |
RT_ICON | 0x538b04 | 0x1f1e | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9713783580215918 |
RT_STRING | 0x53aa24 | 0xa4 | data | 0.5975609756097561 | ||
RT_STRING | 0x53aac8 | 0x52c | data | 0.3716012084592145 | ||
RT_STRING | 0x53aff4 | 0x598 | data | 0.3498603351955307 | ||
RT_STRING | 0x53b58c | 0x52c | data | 0.23867069486404835 | ||
RT_STRING | 0x53bab8 | 0x57c | data | 0.297008547008547 | ||
RT_STRING | 0x53c034 | 0x4ec | data | 0.30873015873015874 | ||
RT_STRING | 0x53c520 | 0x494 | data | 0.35921501706484643 | ||
RT_STRING | 0x53c9b4 | 0x324 | data | 0.42039800995024873 | ||
RT_STRING | 0x53ccd8 | 0x3c4 | AmigaOS bitmap font "n", fc_YSize 30208, 18688 elements, 2nd "l", 3rd "e" | 0.37655601659751037 | ||
RT_STRING | 0x53d09c | 0x3cc | data | 0.43621399176954734 | ||
RT_STRING | 0x53d468 | 0x744 | data | 0.27903225806451615 | ||
RT_STRING | 0x53dbac | 0x588 | data | 0.3114406779661017 | ||
RT_STRING | 0x53e134 | 0x474 | data | 0.39649122807017545 | ||
RT_STRING | 0x53e5a8 | 0x340 | data | 0.43509615384615385 | ||
RT_STRING | 0x53e8e8 | 0x384 | data | 0.41888888888888887 | ||
RT_STRING | 0x53ec6c | 0x514 | data | 0.3607692307692308 | ||
RT_STRING | 0x53f180 | 0x478 | data | 0.40646853146853146 | ||
RT_STRING | 0x53f5f8 | 0x404 | data | 0.3861867704280156 | ||
RT_STRING | 0x53f9fc | 0x41c | data | 0.34600760456273766 | ||
RT_STRING | 0x53fe18 | 0x448 | data | 0.33667883211678834 | ||
RT_STRING | 0x540260 | 0x57c | data | 0.26282051282051283 | ||
RT_STRING | 0x5407dc | 0x3a8 | data | 0.4091880341880342 | ||
RT_STRING | 0x540b84 | 0x574 | data | 0.3538681948424069 | ||
RT_STRING | 0x5410f8 | 0xae4 | data | 0.2654232424677188 | ||
RT_STRING | 0x541bdc | 0x844 | data | 0.2939508506616257 | ||
RT_STRING | 0x542420 | 0xf4c | data | 0.21884576098059244 | ||
RT_STRING | 0x54336c | 0xb10 | data | 0.2891949152542373 | ||
RT_STRING | 0x543e7c | 0xa2c | data | 0.3248847926267281 | ||
RT_STRING | 0x5448a8 | 0x920 | data | 0.2833904109589041 | ||
RT_STRING | 0x5451c8 | 0x710 | data | 0.3008849557522124 | ||
RT_STRING | 0x5458d8 | 0x238 | data | 0.44190140845070425 | ||
RT_STRING | 0x545b10 | 0x3e0 | data | 0.39919354838709675 | ||
RT_STRING | 0x545ef0 | 0x5b8 | data | 0.34904371584699456 | ||
RT_STRING | 0x5464a8 | 0x638 | data | 0.3806532663316583 | ||
RT_STRING | 0x546ae0 | 0x3b0 | data | 0.4385593220338983 | ||
RT_STRING | 0x546e90 | 0x470 | data | 0.3908450704225352 | ||
RT_STRING | 0x547300 | 0x344 | data | 0.41148325358851673 | ||
RT_STRING | 0x547644 | 0x420 | data | 0.4015151515151515 | ||
RT_STRING | 0x547a64 | 0x39c | data | 0.43614718614718617 | ||
RT_STRING | 0x547e00 | 0x388 | data | 0.38716814159292035 | ||
RT_STRING | 0x548188 | 0x364 | data | 0.3490783410138249 | ||
RT_STRING | 0x5484ec | 0x2c8 | data | 0.43820224719101125 | ||
RT_STRING | 0x5487b4 | 0x434 | data | 0.3736059479553903 | ||
RT_STRING | 0x548be8 | 0x384 | data | 0.3611111111111111 | ||
RT_STRING | 0x548f6c | 0x40c | data | 0.4034749034749035 | ||
RT_STRING | 0x549378 | 0x120 | data | 0.6215277777777778 | ||
RT_STRING | 0x549498 | 0xd0 | data | 0.6778846153846154 | ||
RT_STRING | 0x549568 | 0x198 | data | 0.5294117647058824 | ||
RT_STRING | 0x549700 | 0x2dc | data | 0.45491803278688525 | ||
RT_STRING | 0x5499dc | 0x3ac | data | 0.39787234042553193 | ||
RT_STRING | 0x549d88 | 0x3f4 | data | 0.38735177865612647 | ||
RT_STRING | 0x54a17c | 0x460 | data | 0.3794642857142857 | ||
RT_STRING | 0x54a5dc | 0x38c | data | 0.30176211453744495 | ||
RT_STRING | 0x54a968 | 0x374 | data | 0.4253393665158371 | ||
RT_STRING | 0x54acdc | 0x3d0 | data | 0.4077868852459016 | ||
RT_STRING | 0x54b0ac | 0x660 | data | 0.3449754901960784 | ||
RT_STRING | 0x54b70c | 0x438 | data | 0.3685185185185185 | ||
RT_STRING | 0x54bb44 | 0x46c | data | 0.3197879858657244 | ||
RT_STRING | 0x54bfb0 | 0x334 | data | 0.4097560975609756 | ||
RT_STRING | 0x54c2e4 | 0x328 | data | 0.35396039603960394 | ||
RT_STRING | 0x54c60c | 0x44c | data | 0.3927272727272727 | ||
RT_STRING | 0x54ca58 | 0x1ec | data | 0.3983739837398374 | ||
RT_STRING | 0x54cc44 | 0xc4 | data | 0.6428571428571429 | ||
RT_STRING | 0x54cd08 | 0x150 | data | 0.5744047619047619 | ||
RT_STRING | 0x54ce58 | 0x3e8 | data | 0.408 | ||
RT_STRING | 0x54d240 | 0x498 | data | 0.29336734693877553 | ||
RT_STRING | 0x54d6d8 | 0x2f8 | data | 0.45263157894736844 | ||
RT_STRING | 0x54d9d0 | 0x2f0 | data | 0.3776595744680851 | ||
RT_STRING | 0x54dcc0 | 0x368 | data | 0.29243119266055045 | ||
RT_RCDATA | 0x54e028 | 0xd5d | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032154340836013 |
RT_RCDATA | 0x54ed88 | 0xd57 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003221083455344 |
RT_RCDATA | 0x54fae0 | 0xcfc | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003309265944645 |
RT_RCDATA | 0x5507dc | 0xcd9 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033444816053512 |
RT_RCDATA | 0x5514b8 | 0xd5d | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032154340836013 |
RT_RCDATA | 0x552218 | 0xd57 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003221083455344 |
RT_RCDATA | 0x552f70 | 0xc4e | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0034920634920634 |
RT_RCDATA | 0x553bc0 | 0xc4e | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0034920634920634 |
RT_RCDATA | 0x554810 | 0xcb5 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033814940055334 |
RT_RCDATA | 0x5554c8 | 0xcb0 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033866995073892 |
RT_RCDATA | 0x556178 | 0xd56 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032220269478618 |
RT_RCDATA | 0x556ed0 | 0xd47 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0032362459546926 |
RT_RCDATA | 0x557c18 | 0xdc2 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031232254400908 |
RT_RCDATA | 0x5589dc | 0xdc5 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031205673758865 |
RT_RCDATA | 0x5597a4 | 0xcf3 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003318250377074 |
RT_RCDATA | 0x55a498 | 0xced | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033242671501965 |
RT_RCDATA | 0x55b188 | 0xda9 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031455533314269 |
RT_RCDATA | 0x55bf34 | 0xda6 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031482541499714 |
RT_RCDATA | 0x55ccdc | 0xcf3 | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.003318250377074 |
RT_RCDATA | 0x55d9d0 | 0xced | PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced | English | United States | 1.0033242671501965 |
RT_RCDATA | 0x55e6c0 | 0x10 | data | 1.5 | ||
RT_RCDATA | 0x55e6d0 | 0x148b | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0020916524054002 |
RT_RCDATA | 0x55fb5c | 0x111e | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0025102692834322 |
RT_RCDATA | 0x560c7c | 0xd8c | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0031718569780854 |
RT_RCDATA | 0x561a08 | 0x1394 | data | 0.47186751795690346 | ||
RT_RCDATA | 0x562d9c | 0x4 | data | English | United States | 3.0 |
RT_RCDATA | 0x562da0 | 0xb16 | Delphi compiled form 'TForm1' | 0.42353770260747003 | ||
RT_RCDATA | 0x5638b8 | 0x947bdb | Delphi compiled form 'TForm2' | 0.033049583435058594 | ||
RT_RCDATA | 0xeab494 | 0x1601 | Delphi compiled form 'TForm3' | 0.307651340315995 | ||
RT_RCDATA | 0xeaca98 | 0x20e034 | Delphi compiled form 'TForm4' | 0.04551410675048828 | ||
RT_GROUP_CURSOR | 0x10baacc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
RT_GROUP_CURSOR | 0x10baae0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
RT_GROUP_CURSOR | 0x10baaf4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x10bab08 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x10bab1c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x10bab30 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x10bab44 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_ICON | 0x10bab58 | 0x76 | data | English | United States | 0.7033898305084746 |
RT_VERSION | 0x10babd0 | 0x204 | data | English | United States | 0.4903100775193798 |
RT_MANIFEST | 0x10badd4 | 0x70b | XML 1.0 document, ASCII text, with CRLF, LF line terminators | English | United States | 0.403771491957848 |
DLL | Import |
---|---|
wininet.dll | InternetCloseHandle, InternetReadFile, InternetOpenW, InternetOpenUrlW |
winspool.drv | DocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW |
comctl32.dll | ImageList_GetImageInfo, FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage |
shell32.dll | Shell_NotifyIconW, SHAppBarMessage, ShellExecuteW |
user32.dll | MoveWindow, CopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, ClipCursor, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, SetSystemCursor, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, GetWindowTextLengthW, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, mouse_event, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, EnumClipboardFormats, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, keybd_event, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, ValidateRect, IsCharAlphaW, GetCursor, KillTimer, BeginDeferWindowPos, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, CreateWindowExW, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, IsWindowUnicode, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, VkKeyScanW, DestroyMenu, SetWindowsHookExW, EmptyClipboard, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, SetKeyboardState, GetKeyboardState, ScreenToClient, DrawFrameControl, IsCharAlphaNumericW, SetCursor, CreateIcon, RemoveMenu, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CountClipboardFormats, CloseClipboard, DestroyCursor, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, DeferWindowPos, HideCaret, EndDeferWindowPos, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu |
version.dll | GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW |
oleaut32.dll | SafeArrayPutElement, SafeArrayDestroy, SetErrorInfo, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SafeArrayAccessData, SysReAllocStringLen, SafeArrayCreate, CreateErrorInfo, SafeArrayGetElement, SysAllocStringLen, SafeArrayUnaccessData, SafeArrayPtrOfIndex, SafeArrayGetElemsize, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopyInd, VariantChangeType, SafeArrayCopy |
WTSAPI32.DLL | WTSUnRegisterSessionNotification, WTSRegisterSessionNotification |
advapi32.dll | RegSetValueExW, RegConnectRegistryW, RegEnumKeyExW, RegLoadKeyW, RegDeleteKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, RegDeleteValueW, RegReplaceKeyW, RegQueryValueW, RegFlushKey, RegEnumValueW, RegQueryValueExW, RegCloseKey, RegCreateKeyExW, RegRestoreKeyW |
msvcrt.dll | memcpy, memset |
kernel32.dll | SetFileAttributesW, GetFileTime, GetFileType, QueryDosDeviceW, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, CopyFileW, MapViewOfFile, CreateMutexW, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, GlobalAddAtomW, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetFileAttributesExW, LoadLibraryExW, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, SetCurrentDirectoryW, GetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetTempPathW, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, WinExec, GetVersionExW, VerifyVersionInfoW, HeapCreate, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, GetConsoleOutputCP, UnmapViewOfFile, GetConsoleCP, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, GetLocaleInfoW, CreateFileW, EnumResourceNamesW, DeleteFileW, IsDBCSLeadByteEx, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateFileMappingW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale |
wsock32.dll | gethostbyaddr, WSACleanup, gethostbyname, bind, gethostname, closesocket, WSAGetLastError, connect, inet_addr, getpeername, WSAAsyncSelect, WSAAsyncGetServByName, WSACancelAsyncRequest, send, ntohs, htons, WSAStartup, getservbyname, getsockname, listen, socket, recv, inet_ntoa, ioctlsocket, WSAAsyncGetHostByName |
ole32.dll | IsEqualGUID, OleInitialize, OleUninitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID |
gdi32.dll | Pie, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, StretchBlt, RoundRect, SelectClipRgn, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, PolyBezierTo, CreateICW, CreateDCW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, CreateFontIndirectW, PolyBezier, EndDoc, GetObjectW, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, Rectangle, SaveDC, DeleteDC, FrameRgn, BitBlt, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, SetWinMetaFileBits, CombineRgn, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetNearestPaletteIndex, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries |
Magnification.dll | MagSetWindowSource, MagInitialize, MagSetImageScalingCallback, MagSetWindowFilterList |
Name | Ordinal | Address |
---|---|---|
__dbk_fcall_wrapper | 2 | 0x412dcc |
dbkFCallWrapperAddr | 1 | 0x8be644 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-19T20:36:17.886678+0100 | 2020315 | ET MALWARE KL-Remote / Cryp_Banker14 RAT connection | 1 | 192.168.2.7 | 49707 | 24.152.39.13 | 55417 | TCP |
2024-11-19T20:36:18.601634+0100 | 2020316 | ET MALWARE KL-Remote / Cryp_Banker14 RAT response | 1 | 24.152.39.13 | 55417 | 192.168.2.7 | 49707 | TCP |
- Total Packets: 25
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 19, 2024 20:36:12.193453074 CET | 49701 | 80 | 192.168.2.7 | 104.237.62.213 |
Nov 19, 2024 20:36:12.198350906 CET | 80 | 49701 | 104.237.62.213 | 192.168.2.7 |
Nov 19, 2024 20:36:12.198424101 CET | 49701 | 80 | 192.168.2.7 | 104.237.62.213 |
Nov 19, 2024 20:36:12.198534012 CET | 49701 | 80 | 192.168.2.7 | 104.237.62.213 |
Nov 19, 2024 20:36:12.203464985 CET | 80 | 49701 | 104.237.62.213 | 192.168.2.7 |
Nov 19, 2024 20:36:12.784324884 CET | 80 | 49701 | 104.237.62.213 | 192.168.2.7 |
Nov 19, 2024 20:36:12.789654970 CET | 49701 | 80 | 192.168.2.7 | 104.237.62.213 |
Nov 19, 2024 20:36:12.804812908 CET | 80 | 49701 | 104.237.62.213 | 192.168.2.7 |
Nov 19, 2024 20:36:12.804873943 CET | 49701 | 80 | 192.168.2.7 | 104.237.62.213 |
Nov 19, 2024 20:36:14.645380974 CET | 49702 | 80 | 192.168.2.7 | 154.205.156.20 |
Nov 19, 2024 20:36:14.650243044 CET | 80 | 49702 | 154.205.156.20 | 192.168.2.7 |
Nov 19, 2024 20:36:14.650414944 CET | 49702 | 80 | 192.168.2.7 | 154.205.156.20 |
Nov 19, 2024 20:36:14.650507927 CET | 49702 | 80 | 192.168.2.7 | 154.205.156.20 |
Nov 19, 2024 20:36:14.655545950 CET | 80 | 49702 | 154.205.156.20 | 192.168.2.7 |
Nov 19, 2024 20:36:15.313024044 CET | 80 | 49702 | 154.205.156.20 | 192.168.2.7 |
Nov 19, 2024 20:36:15.313102007 CET | 49702 | 80 | 192.168.2.7 | 154.205.156.20 |
Nov 19, 2024 20:36:17.545587063 CET | 49705 | 55417 | 192.168.2.7 | 24.152.39.13 |
Nov 19, 2024 20:36:17.557590961 CET | 55417 | 49705 | 24.152.39.13 | 192.168.2.7 |
Nov 19, 2024 20:36:17.557662010 CET | 49705 | 55417 | 192.168.2.7 | 24.152.39.13 |
Nov 19, 2024 20:36:17.881633043 CET | 49707 | 55417 | 192.168.2.7 | 24.152.39.13 |
Nov 19, 2024 20:36:17.886504889 CET | 55417 | 49707 | 24.152.39.13 | 192.168.2.7 |
Nov 19, 2024 20:36:17.886565924 CET | 49707 | 55417 | 192.168.2.7 | 24.152.39.13 |
Nov 19, 2024 20:36:17.886677980 CET | 49707 | 55417 | 192.168.2.7 | 24.152.39.13 |
Nov 19, 2024 20:36:17.891702890 CET | 55417 | 49707 | 24.152.39.13 | 192.168.2.7 |
Nov 19, 2024 20:36:18.601634026 CET | 55417 | 49707 | 24.152.39.13 | 192.168.2.7 |
Nov 19, 2024 20:36:18.601947069 CET | 49707 | 55417 | 192.168.2.7 | 24.152.39.13 |
Nov 19, 2024 20:36:18.606892109 CET | 55417 | 49707 | 24.152.39.13 | 192.168.2.7 |
Nov 19, 2024 20:36:18.772856951 CET | 55417 | 49707 | 24.152.39.13 | 192.168.2.7 |
Nov 19, 2024 20:36:18.959151983 CET | 49707 | 55417 | 192.168.2.7 | 24.152.39.13 |
Nov 19, 2024 20:36:20.317301989 CET | 80 | 49702 | 154.205.156.20 | 192.168.2.7 |
Nov 19, 2024 20:36:20.317383051 CET | 49702 | 80 | 192.168.2.7 | 154.205.156.20 |
Nov 19, 2024 20:38:04.626252890 CET | 49702 | 80 | 192.168.2.7 | 154.205.156.20 |
Nov 19, 2024 20:38:04.929569006 CET | 49702 | 80 | 192.168.2.7 | 154.205.156.20 |
Nov 19, 2024 20:38:05.537547112 CET | 49702 | 80 | 192.168.2.7 | 154.205.156.20 |
Nov 19, 2024 20:38:06.750593901 CET | 49702 | 80 | 192.168.2.7 | 154.205.156.20 |
Nov 19, 2024 20:38:09.161593914 CET | 49702 | 80 | 192.168.2.7 | 154.205.156.20 |
Nov 19, 2024 20:38:13.968336105 CET | 49702 | 80 | 192.168.2.7 | 154.205.156.20 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 19, 2024 20:36:12.183645010 CET | 59931 | 53 | 192.168.2.7 | 1.1.1.1 |
Nov 19, 2024 20:36:12.190618038 CET | 53 | 59931 | 1.1.1.1 | 192.168.2.7 |
Nov 19, 2024 20:36:17.245806932 CET | 57488 | 53 | 192.168.2.7 | 1.1.1.1 |
Nov 19, 2024 20:36:17.379138947 CET | 53 | 57488 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Nov 19, 2024 20:36:12.183645010 CET | 192.168.2.7 | 1.1.1.1 | 0x4a00 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Nov 19, 2024 20:36:17.245806932 CET | 192.168.2.7 | 1.1.1.1 | 0x18fc | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Nov 19, 2024 20:36:12.190618038 CET | 1.1.1.1 | 192.168.2.7 | 0x4a00 | No error (0) | 104.237.62.213 | A (IP address) | IN (0x0001) | false | ||
Nov 19, 2024 20:36:12.190618038 CET | 1.1.1.1 | 192.168.2.7 | 0x4a00 | No error (0) | 173.231.16.77 | A (IP address) | IN (0x0001) | false | ||
Nov 19, 2024 20:36:17.379138947 CET | 1.1.1.1 | 192.168.2.7 | 0x18fc | No error (0) | 24.152.39.13 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.7 | 49701 | 104.237.62.213 | 80 | 6300 | C:\Users\user\Desktop\ring.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 19, 2024 20:36:12.198534012 CET | 178 | OUT | |
Nov 19, 2024 20:36:12.784324884 CET | 166 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.7 | 49702 | 154.205.156.20 | 80 | 6300 | C:\Users\user\Desktop\ring.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Nov 19, 2024 20:36:14.650507927 CET | 275 | OUT | |
Nov 19, 2024 20:36:15.313024044 CET | 372 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 4 |
Start time: | 14:36:10 |
Start date: | 19/11/2024 |
Path: | C:\Users\user\Desktop\ring.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7c0000 |
File size: | 17'488'384 bytes |
MD5 hash: | DEC85DE31C5A9E3754AB0FCFED8A3E79 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
Has exited: | false |
Target ID: | 8 |
Start time: | 14:36:15 |
Start date: | 19/11/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x410000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 14:36:15 |
Start date: | 19/11/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff75da10000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 10 |
Start time: | 14:36:15 |
Start date: | 19/11/2024 |
Path: | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 433'152 bytes |
MD5 hash: | C32CA4ACFCC635EC1EA6ED8A34DF5FAC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 11 |
Start time: | 14:36:18 |
Start date: | 19/11/2024 |
Path: | C:\Windows\System32\wbem\WmiPrvSE.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7fb730000 |
File size: | 496'640 bytes |
MD5 hash: | 60FF40CFD7FB8FE41EE4FE9AE5FE1C51 |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 13 |
Start time: | 14:36:28 |
Start date: | 19/11/2024 |
Path: | C:\Users\user\AppData\Roaming\Win_24230\ring.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xcb0000 |
File size: | 17'488'384 bytes |
MD5 hash: | DEC85DE31C5A9E3754AB0FCFED8A3E79 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | Borland Delphi |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 14 |
Start time: | 15:37:19 |
Start date: | 19/11/2024 |
Path: | C:\Users\user\AppData\Roaming\Win_24230\ring.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xcb0000 |
File size: | 17'488'384 bytes |
MD5 hash: | DEC85DE31C5A9E3754AB0FCFED8A3E79 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | Borland Delphi |
Reputation: | low |
Has exited: | true |