Edit tour
Windows
Analysis Report
Invoice.exe
Overview
General Information
| Sample name: | Invoice.exe |
| Analysis ID: | 1577108 |
| MD5: | ed9fc958c1d37ad9ce8a699ed784d38c |
| SHA1: | 0fc1930cf64698811d666a9c629d2d97cb52fc48 |
| SHA256: | 34ff26db794de31e8c1ca677b67160a58c195ce7f0cb886aaa6ce276e5b1704e |
| Infos: |  |
 | |
Detection
Snake Keylogger
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
Invoice.exe (PID: 1216 cmdline: "C:\Users\ user\Deskt op\Invoice .exe" MD5: ED9FC958C1D37AD9CE8A699ED784D38C) 
RegSvcs.exe (PID: 3868 cmdline: "C:\Users\ user\Deskt op\Invoice .exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| 404 Keylogger, Snake Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. | No Attribution |
{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7711259782:AAFRZ8phIxNuh8jeF6aEI_S0MRFAR5DWg50/sendMessage?chat_id=1429473750", "Token": "7711259782:AAFRZ8phIxNuh8jeF6aEI_S0MRFAR5DWg50", "Chat_id": "1429473750", "Version": "5.1"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth |
| |
| Click to see the 16 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T02:40:23.676833+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 172.67.177.134 | 443 | TCP |
| 2024-12-18T02:40:38.430253+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.4 | 49747 | 172.67.177.134 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T02:40:19.222737+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49736 | 193.122.6.168 | 80 | TCP |
| 2024-12-18T02:40:22.003888+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49736 | 193.122.6.168 | 80 | TCP |
| 2024-12-18T02:40:26.113221+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49739 | 193.122.6.168 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | File source: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | String found in binary or memory: | memstr_380e53b7-6 | |
| Source: | String found in binary or memory: | memstr_07ab392a-e | |
| Source: | String found in binary or memory: | memstr_40ecbc44-5 | |
| Source: | String found in binary or memory: | memstr_dafd6f3a-2 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Icon embedded in binary file: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 212 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Email Collection | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | 1 Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Virtualization/Sandbox Evasion | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 212 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 System Network Configuration Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 113 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 44% | Virustotal | Browse | ||
| 67% | ReversingLabs | Win32.Trojan.AutoitInject | ||
| 100% | Avira | HEUR/AGEN.1319493 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | 199.232.214.172 | true | false | high | |
| reallyfreegeoip.org | 172.67.177.134 | true | false | high | |
| checkip.dyndns.com | 193.122.6.168 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 193.122.6.168 | checkip.dyndns.com | United States | 31898 | ORACLE-BMC-31898US | false | |
| 172.67.177.134 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1577108 |
| Start date and time: | 2024-12-18 02:39:15 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 43s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Invoice.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/2@2/2 |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.109.210.53, 13.107.246.63
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
| Time | Type | Description |
|---|---|---|
| 20:40:21 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 193.122.6.168 | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| 172.67.177.134 | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | ||
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | VIP Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse | |||
| Get hash | malicious | Snake Keylogger | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse | |||
| Get hash | malicious | MassLogger RAT | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| checkip.dyndns.com | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| bg.microsoft.map.fastly.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | ScreenConnect Tool | Browse |
| ||
| Get hash | malicious | DanaBot, Nitol | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | WinSearchAbuse | Browse |
| ||
| Get hash | malicious | BruteRatel, Latrodectus | Browse |
| ||
| reallyfreegeoip.org | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ORACLE-BMC-31898US | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | CAPTCHA Scam ClickFix | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GO Miner, Xmrig | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Phemedrone Stealer | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\Invoice.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 81920 |
| Entropy (8bit): | 7.871336212200945 |
| Encrypted: | false |
| SSDEEP: | 1536:2/SxQA/nruzUFTp5r4Zd+Zvf8MtgixU83mN/RaAG2LmIw/7Pvj3s:26xznrgU5r4SkMtRZc/YrKmpjXDs |
| MD5: | E7F16FAA664E473D245F7D0DB1231FE6 |
| SHA1: | 21B29657A3BC7D107591F1F1848ED93F24B11582 |
| SHA-256: | E0A71154B80B7BBBC99A86EC9D5E90F043E4233CD4D3D536F80ACE851032BB3D |
| SHA-512: | F94106737EDF8F6F1512E2A45ECA84C4CD0E49D5DEF21C8A8E40611530782A9955457811355F69E793B3892F1915BBAB32BEA62593A952482849EDECEA7CC6A9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Invoice.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 133632 |
| Entropy (8bit): | 6.906470324136524 |
| Encrypted: | false |
| SSDEEP: | 1536:RhXrm1Zj7Hyt4qGvC8xAEGFqFFLB1OmsYTLHO9UY4QcrE+ua2n3bcqjlAFrc9pV8:GxJUqnB1Cma3bckaYpVrkSMf1nzWFbI7 |
| MD5: | 23BD7BAF187198D6358842835FC75C67 |
| SHA1: | 2DB191B4E73B5E0B6FFB1F5C16766C34E576A3B0 |
| SHA-256: | 6DA3F67ADA180DDADA4E262B2C4F88C02BD28866D74CAAD24A244C60102B6128 |
| SHA-512: | 92253833C32D8775857ED19B7CC999728A1D1A7CF0CE2C61F45A2375638413B9DB50EF05D714C6AD7D0F3F9C4A9F370A7931F8383B2C17DA4E70F502292C0E29 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.794211211927992 |
| TrID: |
|
| File name: | Invoice.exe |
| File size: | 1'135'616 bytes |
| MD5: | ed9fc958c1d37ad9ce8a699ed784d38c |
| SHA1: | 0fc1930cf64698811d666a9c629d2d97cb52fc48 |
| SHA256: | 34ff26db794de31e8c1ca677b67160a58c195ce7f0cb886aaa6ce276e5b1704e |
| SHA512: | 8dba140012f9997d4b2d7ad2a69b70e03f1c3b8a94cc6761120903d12079c8d7fa2e5cee4aeada879ea34b77082f63cab98effbf629c914042324cde8c16c729 |
| SSDEEP: | 24576:SqDEvCTbMWu7rQYlBQcBiT6rprG8aSA0HjYw8L:STvC/MTQYxsWR7aSA0HjY |
| TLSH: | 4C35AFD27380C022FE9791324A7BF663567A661E4C27951F16943E7BBD70362013FAA3 |
| File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z.... |
 | |
| Icon Hash: | 2eec8e8cb683b9b1 |
| Entrypoint: | 0x420577 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6761368E [Tue Dec 17 08:30:06 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 948cc502fe9226992dce9417f952fce3 |
| Instruction |
|---|
| call 00007F45AD233813h |
| jmp 00007F45AD23311Fh |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007F45AD2332FDh |
| mov dword ptr [esi], 0049FDF0h |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 0049FDF8h |
| mov dword ptr [ecx], 0049FDF0h |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007F45AD2332CAh |
| mov dword ptr [esi], 0049FE0Ch |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 0049FE14h |
| mov dword ptr [ecx], 0049FE0Ch |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| mov esi, ecx |
| lea eax, dword ptr [esi+04h] |
| mov dword ptr [esi], 0049FDD0h |
| and dword ptr [eax], 00000000h |
| and dword ptr [eax+04h], 00000000h |
| push eax |
| mov eax, dword ptr [ebp+08h] |
| add eax, 04h |
| push eax |
| call 00007F45AD235EBDh |
| pop ecx |
| pop ecx |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| lea eax, dword ptr [ecx+04h] |
| mov dword ptr [ecx], 0049FDD0h |
| push eax |
| call 00007F45AD235F08h |
| pop ecx |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| mov esi, ecx |
| lea eax, dword ptr [esi+04h] |
| mov dword ptr [esi], 0049FDD0h |
| push eax |
| call 00007F45AD235EF1h |
| test byte ptr [ebp+08h], 00000001h |
| pop ecx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc8e64 | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xd4000 | 0x3ea00 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x113000 | 0x7594 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xb0ff0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xc3400 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xb1010 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x9c000 | 0x894 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x9ab1d | 0x9ac00 | 0a1473f3064dcbc32ef93c5c8a90f3a6 | False | 0.565500681542811 | data | 6.668273581389308 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x9c000 | 0x2fb82 | 0x2fc00 | c9cf2468b60bf4f80f136ed54b3989fb | False | 0.35289185209424084 | data | 5.691811547483722 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xcc000 | 0x706c | 0x4800 | 53b9025d545d65e23295e30afdbd16d9 | False | 0.04356553819444445 | DOS executable (block device driver @\273\) | 0.5846666986982398 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xd4000 | 0x3ea00 | 0x3ea00 | 70de66cee2577f030988fc2b7a73e41f | False | 0.6374360653692615 | data | 6.99716119235319 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x113000 | 0x7594 | 0x7600 | c68ee8931a32d45eb82dc450ee40efc3 | False | 0.7628111758474576 | data | 6.7972128181359786 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xd4410 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xd4538 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m | English | Great Britain | 0.2649377593360996 |
| RT_ICON | 0xd6ae0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m | English | Great Britain | 0.3646810506566604 |
| RT_ICON | 0xd7b88 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m | English | Great Britain | 0.5549645390070922 |
| RT_ICON | 0xd7ff0 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m | English | Great Britain | 0.18115257439773264 |
| RT_ICON | 0xdc218 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m | English | Great Britain | 0.0959718443156276 |
| RT_STRING | 0xeca40 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0xecfd4 | 0x68a | data | English | Great Britain | 0.2735961768219833 |
| RT_STRING | 0xed660 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0xedaf0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xee0ec | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xee748 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0xeebb0 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0xeed08 | 0x237c9 | data | 1.0003508699510846 | ||
| RT_GROUP_ICON | 0x1124d4 | 0x4c | data | English | Great Britain | 0.8157894736842105 |
| RT_GROUP_ICON | 0x112520 | 0x14 | data | English | Great Britain | 1.15 |
| RT_VERSION | 0x112534 | 0xdc | data | English | Great Britain | 0.6181818181818182 |
| RT_MANIFEST | 0x112610 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
| DLL | Import |
|---|---|
| WSOCK32.dll | gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect |
| VERSION.dll | GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
| MPR.dll | WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W |
| WININET.dll | HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable |
| PSAPI.DLL | GetProcessMemoryInfo |
| IPHLPAPI.DLL | IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile |
| USERENV.dll | DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile |
| UxTheme.dll | IsThemeActive |
| KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW |
| USER32.dll | GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient |
| GDI32.dll | EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath |
| COMDLG32.dll | GetSaveFileNameW, GetOpenFileNameW |
| ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW |
| SHELL32.dll | DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket |
| OLEAUT32.dll | CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-18T02:40:19.222737+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49736 | 193.122.6.168 | 80 | TCP |
| 2024-12-18T02:40:22.003888+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49736 | 193.122.6.168 | 80 | TCP |
| 2024-12-18T02:40:23.676833+0100 | 2803305 | ETPRO MALWARE Common Downloader Header Pattern H | 3 | 192.168.2.4 | 49738 | 172.67.177.134 | 443 | TCP |
| 2024-12-18T02:40:26.113221+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.4 | 49739 | 193.122.6.168 | 80 | TCP |
| 2024-12-18T02:40:38.430253+0100 | 2803305 | ETPRO MALWARE Common Downloader Header Pattern H | 3 | 192.168.2.4 | 49747 | 172.67.177.134 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 18, 2024 02:40:15.372658014 CET | 49736 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:15.492332935 CET | 80 | 49736 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:15.492578030 CET | 49736 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:15.492976904 CET | 49736 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:15.614273071 CET | 80 | 49736 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:18.769539118 CET | 80 | 49736 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:18.775685072 CET | 49736 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:18.895298958 CET | 80 | 49736 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:19.181281090 CET | 80 | 49736 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:19.222737074 CET | 49736 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:19.828473091 CET | 49737 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:19.828510046 CET | 443 | 49737 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:19.828881025 CET | 49737 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:19.841763973 CET | 49737 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:19.841801882 CET | 443 | 49737 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:21.071147919 CET | 443 | 49737 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:21.071286917 CET | 49737 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:21.077450991 CET | 49737 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:21.077477932 CET | 443 | 49737 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:21.078000069 CET | 443 | 49737 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:21.128962994 CET | 49737 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:21.189143896 CET | 49737 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:21.231343985 CET | 443 | 49737 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:21.528022051 CET | 443 | 49737 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:21.528167009 CET | 443 | 49737 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:21.528229952 CET | 49737 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:21.544713020 CET | 49737 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:21.549729109 CET | 49736 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:21.670928001 CET | 80 | 49736 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:21.955837011 CET | 80 | 49736 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:21.960165024 CET | 49738 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:21.960254908 CET | 443 | 49738 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:21.960366964 CET | 49738 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:21.960704088 CET | 49738 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:21.960736990 CET | 443 | 49738 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:22.003887892 CET | 49736 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:23.226461887 CET | 443 | 49738 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:23.228403091 CET | 49738 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:23.228467941 CET | 443 | 49738 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:23.676752090 CET | 443 | 49738 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:23.676911116 CET | 443 | 49738 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:23.676984072 CET | 49738 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:23.677275896 CET | 49738 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:23.680213928 CET | 49736 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:23.681495905 CET | 49739 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:23.800209045 CET | 80 | 49736 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:23.800280094 CET | 49736 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:23.800937891 CET | 80 | 49739 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:23.801009893 CET | 49739 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:23.801192045 CET | 49739 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:23.920761108 CET | 80 | 49739 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:26.068425894 CET | 80 | 49739 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:26.069700956 CET | 49740 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:26.069737911 CET | 443 | 49740 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:26.069819927 CET | 49740 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:26.070097923 CET | 49740 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:26.070116997 CET | 443 | 49740 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:26.113220930 CET | 49739 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:27.292398930 CET | 443 | 49740 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:27.294819117 CET | 49740 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:27.294846058 CET | 443 | 49740 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:27.766701937 CET | 443 | 49740 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:27.766844034 CET | 443 | 49740 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:27.766905069 CET | 49740 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:27.767642021 CET | 49740 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:27.774925947 CET | 49742 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:27.894428968 CET | 80 | 49742 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:27.894534111 CET | 49742 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:27.894717932 CET | 49742 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:28.014369965 CET | 80 | 49742 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:30.168672085 CET | 80 | 49742 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:30.173180103 CET | 49743 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:30.173264027 CET | 443 | 49743 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:30.173494101 CET | 49743 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:30.173810959 CET | 49743 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:30.173841000 CET | 443 | 49743 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:30.222774982 CET | 49742 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:31.830522060 CET | 443 | 49743 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:31.833647966 CET | 49743 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:31.833729029 CET | 443 | 49743 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:32.284504890 CET | 443 | 49743 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:32.284693003 CET | 443 | 49743 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:32.285083055 CET | 49743 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:32.285474062 CET | 49743 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:32.288650036 CET | 49742 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:32.289654016 CET | 49744 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:32.408727884 CET | 80 | 49742 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:32.408902884 CET | 49742 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:32.409162045 CET | 80 | 49744 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:32.409343958 CET | 49744 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:32.409403086 CET | 49744 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:32.529006958 CET | 80 | 49744 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:33.696084023 CET | 80 | 49744 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:33.697643995 CET | 49745 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:33.697734118 CET | 443 | 49745 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:33.698035002 CET | 49745 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:33.698163986 CET | 49745 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:33.698185921 CET | 443 | 49745 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:33.738430023 CET | 49744 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:34.913805962 CET | 443 | 49745 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:34.916379929 CET | 49745 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:34.916426897 CET | 443 | 49745 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:35.361289024 CET | 443 | 49745 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:35.361444950 CET | 443 | 49745 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:35.361521006 CET | 49745 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:35.362046957 CET | 49745 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:35.367203951 CET | 49744 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:35.368736029 CET | 49746 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:35.487095118 CET | 80 | 49744 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:35.487338066 CET | 49744 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:35.488177061 CET | 80 | 49746 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:35.488308907 CET | 49746 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:35.488605022 CET | 49746 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:35.608172894 CET | 80 | 49746 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:36.757653952 CET | 80 | 49746 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:36.759167910 CET | 49747 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:36.759258032 CET | 443 | 49747 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:36.759366989 CET | 49747 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:36.759752989 CET | 49747 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:36.759788036 CET | 443 | 49747 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:36.800717115 CET | 49746 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:37.980010986 CET | 443 | 49747 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:37.982305050 CET | 49747 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:37.982346058 CET | 443 | 49747 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:38.430325031 CET | 443 | 49747 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:38.430473089 CET | 443 | 49747 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:38.430542946 CET | 49747 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:38.430943012 CET | 49747 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:38.435888052 CET | 49746 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:38.436654091 CET | 49748 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:38.555685043 CET | 80 | 49746 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:38.555954933 CET | 49746 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:38.556189060 CET | 80 | 49748 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:38.556377888 CET | 49748 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:38.556469917 CET | 49748 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:38.676243067 CET | 80 | 49748 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:40.706346035 CET | 80 | 49748 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:40.707458019 CET | 49749 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:40.707494020 CET | 443 | 49749 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:40.707565069 CET | 49749 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:40.707797050 CET | 49749 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:40.707815886 CET | 443 | 49749 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:40.753835917 CET | 49748 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:41.925631046 CET | 443 | 49749 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:41.927357912 CET | 49749 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:41.927400112 CET | 443 | 49749 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:42.375041008 CET | 443 | 49749 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:42.375195980 CET | 443 | 49749 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:42.375308037 CET | 49749 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:42.375633955 CET | 49749 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:42.378818035 CET | 49748 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:42.379358053 CET | 49750 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:42.498655081 CET | 80 | 49748 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:42.498760939 CET | 49748 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:42.498855114 CET | 80 | 49750 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:42.498941898 CET | 49750 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:42.536618948 CET | 49750 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:42.656352043 CET | 80 | 49750 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:43.920918941 CET | 80 | 49750 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:40:43.922380924 CET | 49751 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:43.922416925 CET | 443 | 49751 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:43.922525883 CET | 49751 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:43.922804117 CET | 49751 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:43.922825098 CET | 443 | 49751 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:43.972637892 CET | 49750 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:40:45.137572050 CET | 443 | 49751 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:45.139528990 CET | 49751 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:45.139558077 CET | 443 | 49751 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:45.588287115 CET | 443 | 49751 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:45.588462114 CET | 443 | 49751 | 172.67.177.134 | 192.168.2.4 |
| Dec 18, 2024 02:40:45.588536978 CET | 49751 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:40:45.596178055 CET | 49751 | 443 | 192.168.2.4 | 172.67.177.134 |
| Dec 18, 2024 02:41:31.073062897 CET | 80 | 49739 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:41:31.073635101 CET | 49739 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:41:48.920854092 CET | 80 | 49750 | 193.122.6.168 | 192.168.2.4 |
| Dec 18, 2024 02:41:48.922030926 CET | 49750 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:42:23.925906897 CET | 49750 | 80 | 192.168.2.4 | 193.122.6.168 |
| Dec 18, 2024 02:42:24.045403957 CET | 80 | 49750 | 193.122.6.168 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 18, 2024 02:40:15.229321957 CET | 55715 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 18, 2024 02:40:15.366576910 CET | 53 | 55715 | 1.1.1.1 | 192.168.2.4 |
| Dec 18, 2024 02:40:19.232636929 CET | 64358 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 18, 2024 02:40:19.827163935 CET | 53 | 64358 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 18, 2024 02:40:15.229321957 CET | 192.168.2.4 | 1.1.1.1 | 0x3726 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 18, 2024 02:40:19.232636929 CET | 192.168.2.4 | 1.1.1.1 | 0xb03c | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 18, 2024 02:40:05.121443987 CET | 1.1.1.1 | 192.168.2.4 | 0x1ea3 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 02:40:05.121443987 CET | 1.1.1.1 | 192.168.2.4 | 0x1ea3 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 02:40:15.366576910 CET | 1.1.1.1 | 192.168.2.4 | 0x3726 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Dec 18, 2024 02:40:15.366576910 CET | 1.1.1.1 | 192.168.2.4 | 0x3726 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 02:40:15.366576910 CET | 1.1.1.1 | 192.168.2.4 | 0x3726 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 02:40:15.366576910 CET | 1.1.1.1 | 192.168.2.4 | 0x3726 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 02:40:15.366576910 CET | 1.1.1.1 | 192.168.2.4 | 0x3726 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 02:40:15.366576910 CET | 1.1.1.1 | 192.168.2.4 | 0x3726 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 02:40:19.827163935 CET | 1.1.1.1 | 192.168.2.4 | 0xb03c | No error (0) | 172.67.177.134 | A (IP address) | IN (0x0001) | false | ||
| Dec 18, 2024 02:40:19.827163935 CET | 1.1.1.1 | 192.168.2.4 | 0xb03c | No error (0) | 104.21.67.152 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49736 | 193.122.6.168 | 80 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 18, 2024 02:40:15.492976904 CET | 151 | OUT | |
| Dec 18, 2024 02:40:18.769539118 CET | 321 | IN | |
| Dec 18, 2024 02:40:18.775685072 CET | 127 | OUT | |
| Dec 18, 2024 02:40:19.181281090 CET | 321 | IN | |
| Dec 18, 2024 02:40:21.549729109 CET | 127 | OUT | |
| Dec 18, 2024 02:40:21.955837011 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49739 | 193.122.6.168 | 80 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 18, 2024 02:40:23.801192045 CET | 127 | OUT | |
| Dec 18, 2024 02:40:26.068425894 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49742 | 193.122.6.168 | 80 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 18, 2024 02:40:27.894717932 CET | 151 | OUT | |
| Dec 18, 2024 02:40:30.168672085 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49744 | 193.122.6.168 | 80 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 18, 2024 02:40:32.409403086 CET | 151 | OUT | |
| Dec 18, 2024 02:40:33.696084023 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49746 | 193.122.6.168 | 80 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 18, 2024 02:40:35.488605022 CET | 151 | OUT | |
| Dec 18, 2024 02:40:36.757653952 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49748 | 193.122.6.168 | 80 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 18, 2024 02:40:38.556469917 CET | 151 | OUT | |
| Dec 18, 2024 02:40:40.706346035 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49750 | 193.122.6.168 | 80 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Dec 18, 2024 02:40:42.536618948 CET | 151 | OUT | |
| Dec 18, 2024 02:40:43.920918941 CET | 321 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49737 | 172.67.177.134 | 443 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 01:40:21 UTC | 85 | OUT | |
| 2024-12-18 01:40:21 UTC | 874 | IN | |
| 2024-12-18 01:40:21 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49738 | 172.67.177.134 | 443 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 01:40:23 UTC | 61 | OUT | |
| 2024-12-18 01:40:23 UTC | 877 | IN | |
| 2024-12-18 01:40:23 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49740 | 172.67.177.134 | 443 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 01:40:27 UTC | 85 | OUT | |
| 2024-12-18 01:40:27 UTC | 874 | IN | |
| 2024-12-18 01:40:27 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49743 | 172.67.177.134 | 443 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 01:40:31 UTC | 85 | OUT | |
| 2024-12-18 01:40:32 UTC | 876 | IN | |
| 2024-12-18 01:40:32 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49745 | 172.67.177.134 | 443 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 01:40:34 UTC | 85 | OUT | |
| 2024-12-18 01:40:35 UTC | 878 | IN | |
| 2024-12-18 01:40:35 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49747 | 172.67.177.134 | 443 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 01:40:37 UTC | 61 | OUT | |
| 2024-12-18 01:40:38 UTC | 878 | IN | |
| 2024-12-18 01:40:38 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49749 | 172.67.177.134 | 443 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 01:40:41 UTC | 85 | OUT | |
| 2024-12-18 01:40:42 UTC | 876 | IN | |
| 2024-12-18 01:40:42 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49751 | 172.67.177.134 | 443 | 3868 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-18 01:40:45 UTC | 85 | OUT | |
| 2024-12-18 01:40:45 UTC | 878 | IN | |
| 2024-12-18 01:40:45 UTC | 362 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 20:40:10 |
| Start date: | 17/12/2024 |
| Path: | C:\Users\user\Desktop\Invoice.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe10000 |
| File size: | 1'135'616 bytes |
| MD5 hash: | ED9FC958C1D37AD9CE8A699ED784D38C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 20:40:14 |
| Start date: | 17/12/2024 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x6b0000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | false |
⊘No disassembly