Windows
Analysis Report
hGlhyegaG6.exe
Overview
General Information
Sample name: | hGlhyegaG6.exerenamed because original name is a hash value |
Original sample name: | 7915b71dd31bd2c6f7a6bba943525920.exe |
Analysis ID: | 1625857 |
MD5: | 7915b71dd31bd2c6f7a6bba943525920 |
SHA1: | 0eda1ff79008761704bf522162accb687894a965 |
SHA256: | baf42171b1fc708641b1214b78090ff6b95c2f1dfcc3789b322831b5b811eb9d |
Tags: | exeValleyRATuser-abuse_ch |
Infos: | |
Detection
Score: | 60 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
hGlhyegaG6.exe (PID: 4944 cmdline:
"C:\Users\ user\Deskt op\hGlhyeg aG6.exe" MD5: 7915B71DD31BD2C6F7A6BBA943525920) hGlhyegaG6.tmp (PID: 2916 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-J21 NL.tmp\hGl hyegaG6.tm p" /SL5="$ 30584,3229 1600,85760 0,C:\Users \user\Desk top\hGlhye gaG6.exe" MD5: 6E8DE531DFA6FFD065F93E3902A1CB51) overseer.exe (PID: 3992 cmdline:
"C:\Users\ user\AppDa ta\Roaming \5927.2.15 .32233\ove rseer.exe" MD5: 7D81D10AA526A9F85DC4C4670AD7BDB3)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
- • AV Detection
- • Cryptography
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Virustotal: | Perma Link |
Source: | Binary or memory string: | memstr_4d2e4271-e |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 2_2_0000000140001000 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: |
Source: | String found in binary or memory: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 2_3_0056B371 | |
Source: | Code function: | 2_3_0056B371 | |
Source: | Code function: | 2_3_0056B371 | |
Source: | Code function: | 2_3_0056B371 | |
Source: | Code function: | 2_3_0056B371 | |
Source: | Code function: | 2_3_0056B371 | |
Source: | Code function: | 2_3_0056B371 | |
Source: | Code function: | 2_3_0056B371 | |
Source: | Code function: | 2_3_0055C351 | |
Source: | Code function: | 2_3_0055C351 | |
Source: | Code function: | 2_3_0055C351 | |
Source: | Code function: | 2_3_00567559 | |
Source: | Code function: | 2_3_0056C131 | |
Source: | Code function: | 2_3_0056C131 | |
Source: | Code function: | 2_3_0056C131 | |
Source: | Code function: | 2_3_0056C131 | |
Source: | Code function: | 2_3_0056C131 | |
Source: | Code function: | 2_3_0056C131 | |
Source: | Code function: | 2_3_0056C131 | |
Source: | Code function: | 2_3_0056C131 | |
Source: | Code function: | 2_3_00567579 | |
Source: | Code function: | 2_3_00567579 | |
Source: | Code function: | 2_3_00567579 | |
Source: | Code function: | 2_3_00567579 | |
Source: | Code function: | 2_3_00567579 | |
Source: | Code function: | 2_3_00567579 | |
Source: | Code function: | 2_3_00567579 | |
Source: | Code function: | 2_3_0056F579 | |
Source: | Code function: | 2_3_0056F579 | |
Source: | Code function: | 2_3_0056F579 | |
Source: | Code function: | 2_3_0056F579 |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | System information queried: | Jump to behavior |
Source: | Code function: | 2_3_0056F261 |
Source: | Code function: | 2_3_0055F4D2 |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Code function: | 2_2_0000000140126F50 |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 2 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 13 Virtualization/Sandbox Evasion | LSASS Memory | 221 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Process Injection | Security Account Manager | 13 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | 4 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Timestomp | LSA Secrets | 2 System Owner/User Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 Remote System Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 13 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
8% | ReversingLabs | |||
20% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs | |||
17% | ReversingLabs | |||
3% | ReversingLabs | |||
5% | ReversingLabs | |||
10% | ReversingLabs | |||
8% | ReversingLabs | |||
8% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
8% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
29% | ReversingLabs | Win32.Trojan.Sasfis | ||
0% | ReversingLabs | |||
3% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
17% | ReversingLabs | |||
5% | ReversingLabs | |||
10% | ReversingLabs | |||
8% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
29% | ReversingLabs | Win32.Trojan.Sasfis |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
a366.dscd.akamai.net | 2.19.11.98 | true | false | high | |
analytics-prod-gcp.ff.avast.com | 34.117.223.223 | true | false | high | |
v7event.stats.avast.com | unknown | unknown | false | high | |
s-overseer.avcdn.net | unknown | unknown | false | high | |
analytics.ff.avast.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high | ||
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
34.117.223.223 | analytics-prod-gcp.ff.avast.com | United States | 139070 | GOOGLE-AS-APGoogleAsiaPacificPteLtdSG | false | |
2.19.11.98 | a366.dscd.akamai.net | European Union | 719 | ELISA-ASHelsinkiFinlandEU | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1625857 |
Start date and time: | 2025-02-27 18:20:27 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 27s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | hGlhyegaG6.exerenamed because original name is a hash value |
Original Sample Name: | 7915b71dd31bd2c6f7a6bba943525920.exe |
Detection: | MAL |
Classification: | mal60.evad.winEXE@5/38@5/2 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, B ackgroundTransferHost.exe, SIH Client.exe, backgroundTaskHost .exe, conhost.exe - Excluded IPs from analysis (wh
itelisted): 20.109.210.53, 40. 126.32.134, 13.107.246.60, 20. 223.36.55, 2.19.96.129 - Excluded domains from analysis
(whitelisted): www.bing.com, slscr.update.microsoft.com, lo gin.live.com, otelrules.azuree dge.net, ctldl.windowsupdate.c om, tse1.mm.bing.net, arc.msn. com, dns.msftncsi.com, fe3cr.d elivery.mp.microsoft.com - Execution Graph export aborted
for target overseer.exe, PID 3992 because there are no exec uted function - Not all processes where analyz
ed, report is missing behavior information
Time | Type | Description |
---|---|---|
12:21:33 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
34.117.223.223 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | PrivateLoader | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
2.19.11.98 | Get hash | malicious | HTMLPhisher | Browse | ||
Get hash | malicious | HTMLPhisher | Browse | |||
Get hash | malicious | HTMLPhisher, Tycoon2FA | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | HTMLPhisher | Browse | |||
Get hash | malicious | HTMLPhisher | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | HTMLPhisher | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | PureLog Stealer, Vidar | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
analytics-prod-gcp.ff.avast.com | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Destiny Stealer, Phemedrone Stealer, StormKitty | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS | Browse |
| ||
Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
ELISA-ASHelsinkiFinlandEU | Get hash | malicious | Mirai, Moobot | Browse |
| |
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai, Moobot | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
74954a0c86284d0d6e1c4efefe92b521 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Quasar | Browse |
| ||
Get hash | malicious | Quasar | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\is-INPU8.tmp\_isetup\_setup64.tmp | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | RMSRemoteAdmin | Browse | |||
Get hash | malicious | RMSRemoteAdmin | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | MicroClip | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | MicroClip | Browse | |||
Get hash | malicious | MicroClip | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | MicroClip | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 4.720366600008286 |
Encrypted: | false |
SSDEEP: | 96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0 |
MD5: | E4211D6D009757C078A9FAC7FF4F03D4 |
SHA1: | 019CD56BA687D39D12D4B13991C9A42EA6BA03DA |
SHA-256: | 388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 |
SHA-512: | 17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\hGlhyegaG6.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3347968 |
Entropy (8bit): | 6.594964217507136 |
Encrypted: | false |
SSDEEP: | 49152:CdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQ5333Re+I:0JYVM+LtVt3P/KuG2ONG9iqLRQ5333E |
MD5: | 6E8DE531DFA6FFD065F93E3902A1CB51 |
SHA1: | 9A484E85432C38D9749C2DFB56E72207A6A9B88E |
SHA-256: | 0313C8B1EAF4BF8A2C920717CAD7335B7AA9C210298C659B97647E433B0272BD |
SHA-512: | 30DB086FA4E73A17F32321BC4CF4D16BD9A58540DAA9E77FE4FCA1361618B874AD33A673012D85C7A28474FB3376C739389B7321DE4D3E08581D50913C1A51D2 |
Malicious: | false |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2133356 |
Entropy (8bit): | 7.958858034406502 |
Encrypted: | false |
SSDEEP: | 49152:hEm1GGw/Zh77JiahbzAhYvyBgNJNAh6gc+h66Jku9ZpD+V+sYogi6u:hESIRhhikzvyGNJNAh6gl66j7snVR |
MD5: | CE1B25AFC637CD65CA2073ED4CAA0F89 |
SHA1: | DF63FFF356F10CC91817C287C155A2936603DBE2 |
SHA-256: | FB11CDF43004A2501A8A550D333127C0076FEE06C4D7764A9EDCE100158C9874 |
SHA-512: | E546CB491563F4744971656D0FA0D989132BCED70B62620A7A569F22BE3A61892E15A64B47B7DAB814D2EE0963CF3141A1322E6608A5501AC0458DD877EB1328 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1852343 |
Entropy (8bit): | 7.992987797929006 |
Encrypted: | true |
SSDEEP: | 49152:8fPgbXOkVdIH8r1c1DitzO+GkXVWJoJz3:j6+dIH8r1YKi+G4VOE7 |
MD5: | 1A6CB299E629634260182F26F7C0661F |
SHA1: | 851BDB0768062380951A6C429DE9D0497649AE76 |
SHA-256: | B4419DBDB3A5417AE9E39037B5AF1FE075FCAD656C12E1D8C5B822EEA6E72C19 |
SHA-512: | FC85211C8C16CB5AC0C36FEFF7273FA40A9D2C040B9CE6F5C2B5D9ABFABEC1CE21619B15E73863E67E5D18E4521018C9EFC287908E4B2F4D1F96AC29DC414FA2 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6603672 |
Entropy (8bit): | 7.865075735815504 |
Encrypted: | false |
SSDEEP: | 196608:NAytnH/3fbFaZtxD+snNf+TNa7QXaVHMeq6R9dTa27:iyt3OUZEfHMidH |
MD5: | 5015AF231898F219B9449875055BD991 |
SHA1: | 8776F311ACBB9AD29B7AF7C5B1ACCDAB33AB3166 |
SHA-256: | DA90259734B79DFA1DC1BB104B0099DC16831B42A3D27BB4397C48E879577455 |
SHA-512: | B94B81BA856E3F6CB4703BB8CAAA62FC5A91F4227BC984E30A75811D86AC13BCD66593219C6282141141ED186F331FCE87494EC0196D35E35147DA7859FA9AA1 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1095248 |
Entropy (8bit): | 7.3847854536731194 |
Encrypted: | false |
SSDEEP: | 24576:Z+8FYDQIdsIi3ZVmrdZvGk6Vl5WCu36ivyh9cuiJh/G5L73oH:YtuZERsk6n5WCQLucq3oH |
MD5: | 839A48C3AFC914A5627B5F68D5332AFF |
SHA1: | CA8E9D49A598AD614E8861E31DDCECCA3C8ABB4A |
SHA-256: | 4F856B9B0940C7627CC13329E5B9B99A21EDD1AB466DABD53241077C0F6353D2 |
SHA-512: | ED699354E851860F62C113F0F419C61D95395E3FB8F441C9BEC7A3F47CE2449930B23627463284E00B8D536A1F9C576C5956DD4555343C3179F73B5C1FE87D00 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3275912 |
Entropy (8bit): | 6.704682677119929 |
Encrypted: | false |
SSDEEP: | 49152:RI01naSsx4G5NT+NLHBTkBGm5sebVCfT9TT6S0mxf+Q0d:bG5NKN6nh86Lmxfyd |
MD5: | 3909D43C55B62C3AC16D2843A63F857B |
SHA1: | A6879E7DB07033B7908D34DA720C39A45613EEE5 |
SHA-256: | A7D833EEE668FBB9EC815B71845A3C434E77AE3CF7ECCD91C60C3F109C5181E1 |
SHA-512: | 9978946EB01CDB898C915D77A7D1818A2B17C7C851D07432FA667E80C1F19F35F057150E9822B3A0E4DD6706C6C79E835479487662339FEF08C0A0B09E0521A0 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3275912 |
Entropy (8bit): | 6.704682677119929 |
Encrypted: | false |
SSDEEP: | 49152:RI01naSsx4G5NT+NLHBTkBGm5sebVCfT9TT6S0mxf+Q0d:bG5NKN6nh86Lmxfyd |
MD5: | 3909D43C55B62C3AC16D2843A63F857B |
SHA1: | A6879E7DB07033B7908D34DA720C39A45613EEE5 |
SHA-256: | A7D833EEE668FBB9EC815B71845A3C434E77AE3CF7ECCD91C60C3F109C5181E1 |
SHA-512: | 9978946EB01CDB898C915D77A7D1818A2B17C7C851D07432FA667E80C1F19F35F057150E9822B3A0E4DD6706C6C79E835479487662339FEF08C0A0B09E0521A0 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1527528 |
Entropy (8bit): | 6.6753627354933744 |
Encrypted: | false |
SSDEEP: | 24576:+JOglUaWQcgBX4pa4SLLsQ+VWiDx6F/kvXTG860PvmeCI:+kyWEBi0Q7WiZXTLPueCI |
MD5: | 406649A8EBDBEE64943B69C2B49248C8 |
SHA1: | 03D2BC4FA3335ED2790E9DEB2683C193BC93FF14 |
SHA-256: | 04F0B3427F1C9B374BD1266ACAB80EB5C763F4196E4ACDDE195AD79396BF5D5B |
SHA-512: | FBD7F6AEC8B84C22E9DB3B14CC3E1E3AA22FA03A16296B4185EEA1FF2343DDB449A8CEF580870942FDA8B25276A314E6722A811CD6C451A8ACC8C80A2BA021A5 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1527528 |
Entropy (8bit): | 6.6753627354933744 |
Encrypted: | false |
SSDEEP: | 24576:+JOglUaWQcgBX4pa4SLLsQ+VWiDx6F/kvXTG860PvmeCI:+kyWEBi0Q7WiZXTLPueCI |
MD5: | 406649A8EBDBEE64943B69C2B49248C8 |
SHA1: | 03D2BC4FA3335ED2790E9DEB2683C193BC93FF14 |
SHA-256: | 04F0B3427F1C9B374BD1266ACAB80EB5C763F4196E4ACDDE195AD79396BF5D5B |
SHA-512: | FBD7F6AEC8B84C22E9DB3B14CC3E1E3AA22FA03A16296B4185EEA1FF2343DDB449A8CEF580870942FDA8B25276A314E6722A811CD6C451A8ACC8C80A2BA021A5 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4758456 |
Entropy (8bit): | 7.9868993000639845 |
Encrypted: | false |
SSDEEP: | 98304:EIztAOnrDbONTcfRkAtNpf3oGEUa1E0roN0fcDUcfHySM:piOHscGINSGEUa1pa00DUlSM |
MD5: | E4E292C563B51EB8AC526103A736AA9F |
SHA1: | 52CEDF2CCBE9816DD71E25785F3C227C88A97E82 |
SHA-256: | 8699D7890F44CA0A7FA44796886DD9129D2F621D15E78043667D7A8E297F4908 |
SHA-512: | DA0B5F202A774133914C2C85598F27FE46DEB5520C533F030B9DC4FE89C6CA66B4143D826E13206070B82C6F50124F5879B12D25CCB3B170AFEE61C4EE39C050 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1032896 |
Entropy (8bit): | 5.429142096187797 |
Encrypted: | false |
SSDEEP: | 12288:RVBOEu9gjRKJF5zx1xVgRxbmtIdvb3ifimF9pXDLervxnPRUrh2r/w4x:RoJ9V0Q+vb3ifTFvervxnpih2rlx |
MD5: | 4AD2FC6FFF2E693478EADC6793F76924 |
SHA1: | 70483D3952D781A088D8D990F1E3921CDA694F01 |
SHA-256: | 35018E18982188FC5F485F462E7A77FADE7E0CB632FAF632E163622815B9E90A |
SHA-512: | 44675DEE84800CB84AF65A707D491C88E99DAF3CC7AADC9F8BF4D2DAECE69D02243BA29131D89AB6F46D3E9BF7482831C3CE3264277F38A731B63891FF377605 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6100183 |
Entropy (8bit): | 7.970907477115673 |
Encrypted: | false |
SSDEEP: | 98304:5RumfOlbeaEnjdEqiPR6ppmLAnjbg8iFoCKjYjtgCVnZrdVmDJiFq9kg22LU:5Ru9Ve9xEqM6Hm2bg8kKCRFmDJIikx |
MD5: | 50CC3FC19ED36031A5B9A49365DFC6BF |
SHA1: | 51032E78848970154558690C4B76D2E6C017143B |
SHA-256: | 16BC5778331435D0CB76A9ABD49933BA64B09F79B5C0151AD1DA3192B78159CC |
SHA-512: | 73B02C2F13BDF9DFF99ED3F9DF3F2C376BED80FD471430111AFD414CAC27CAD21DBE4EE20FBD78F9E63C354FFA47E4AE23396E41723C7A9076D25D33A680FC43 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1096224 |
Entropy (8bit): | 6.826758378910142 |
Encrypted: | false |
SSDEEP: | 12288:qB613t1V9A+Tac0RDffXJjyYp88oNHSy5viczGMwP2FC1Wf3VfXJjyNpor:UG1k+2DR7BWYp88o44HP9BWNpor |
MD5: | 90B27B057D16422ACED7DBF4CF8995AA |
SHA1: | 0DE3BDE3E1DFA1CAD7363F8091242121BC71A5DA |
SHA-256: | 97147A56EB2B9A9DC60F149AE574531FB22E39B9C820F2E2A3E0AF38D56BF1DC |
SHA-512: | FAB574629B5028ABB290788AF35CFBE16A7DA617FBFE198634C07B7B2D7BAAA9BF8BDDEBC3A431D0357B3303BF118A43DC02E766E6049571E8A054464F5349D6 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1136657 |
Entropy (8bit): | 7.985069142877887 |
Encrypted: | false |
SSDEEP: | 24576:s/cSSxt6hnMVODHtt9D/wbQOrqiWaX2CId72lgn:s/rSDULHttB8rhWaXfM2lgn |
MD5: | 54BF45525D59EA00562E92C4EA449241 |
SHA1: | AB338D1C4F2636E08D798018551556A875E1438D |
SHA-256: | F921F4BE22C2455728A63B4B68EF3C7CCC6BD9EE0162A8228E1A2D6D1D831F33 |
SHA-512: | 42B3408E0C665C8285F9D286E172D7B2DFBA4EF19EBED40704FC19F44D53750635DEFE34A2947ED30DBC85D63D8D88872AE7E1506A4BC8AF7C98BBCF3770CB32 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1136657 |
Entropy (8bit): | 7.985069142877887 |
Encrypted: | false |
SSDEEP: | 24576:s/cSSxt6hnMVODHtt9D/wbQOrqiWaX2CId72lgn:s/rSDULHttB8rhWaXfM2lgn |
MD5: | 54BF45525D59EA00562E92C4EA449241 |
SHA1: | AB338D1C4F2636E08D798018551556A875E1438D |
SHA-256: | F921F4BE22C2455728A63B4B68EF3C7CCC6BD9EE0162A8228E1A2D6D1D831F33 |
SHA-512: | 42B3408E0C665C8285F9D286E172D7B2DFBA4EF19EBED40704FC19F44D53750635DEFE34A2947ED30DBC85D63D8D88872AE7E1506A4BC8AF7C98BBCF3770CB32 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 240343 |
Entropy (8bit): | 6.49164314704198 |
Encrypted: | false |
SSDEEP: | 6144:8sSk7Ct4W8i5u9kKvYwVOX6IrO6rZpbeGI3:BSx8iwkKvh86dQZpb7I3 |
MD5: | 57A0F4852EDDD8D4203B59FA9897DD21 |
SHA1: | B52B42AED913CCB7F53221B2EBD3382BE00D472E |
SHA-256: | E7BBB4E10E44963ECD55ADB434CDFEB2096068D3A8CC0D82F2FCC7CFB8673CB6 |
SHA-512: | F5A52F8992BD238D75B12E52932C5531A3382C31FC8EFFEDCA4EAC5420F30DF8A9B7D744AFD548F723EDF71074192117B8A0956C85F6624CC8C7889B4C669DD7 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3275912 |
Entropy (8bit): | 6.704682677119929 |
Encrypted: | false |
SSDEEP: | 49152:RI01naSsx4G5NT+NLHBTkBGm5sebVCfT9TT6S0mxf+Q0d:bG5NKN6nh86Lmxfyd |
MD5: | 3909D43C55B62C3AC16D2843A63F857B |
SHA1: | A6879E7DB07033B7908D34DA720C39A45613EEE5 |
SHA-256: | A7D833EEE668FBB9EC815B71845A3C434E77AE3CF7ECCD91C60C3F109C5181E1 |
SHA-512: | 9978946EB01CDB898C915D77A7D1818A2B17C7C851D07432FA667E80C1F19F35F057150E9822B3A0E4DD6706C6C79E835479487662339FEF08C0A0B09E0521A0 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2170952 |
Entropy (8bit): | 6.555833138686776 |
Encrypted: | false |
SSDEEP: | 49152:kMLPHrldaIVplxcLm3J4Xn1syCZA/zIWTm2bB5XTAndMQJIV4y:S6vh2bzcndjoj |
MD5: | 7D81D10AA526A9F85DC4C4670AD7BDB3 |
SHA1: | 9F9AF5D9E70D901065104FE07291FB2354793ECE |
SHA-256: | 70CDA5C9A8095D618F96B3BA330892A7A902CDCD9F9530E82F9CB6DCA5B8AC89 |
SHA-512: | CE4C62D235FA3A23E93508D5F2F7157A45159F1C5DD6DCB24E6FE1ED9FC6F0D4AD8B5884A2304A58B2D56DF57E9CADDD206F512AC8E518E93A3CC46506A34E80 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1032896 |
Entropy (8bit): | 5.429142096187797 |
Encrypted: | false |
SSDEEP: | 12288:RVBOEu9gjRKJF5zx1xVgRxbmtIdvb3ifimF9pXDLervxnPRUrh2r/w4x:RoJ9V0Q+vb3ifTFvervxnpih2rlx |
MD5: | 4AD2FC6FFF2E693478EADC6793F76924 |
SHA1: | 70483D3952D781A088D8D990F1E3921CDA694F01 |
SHA-256: | 35018E18982188FC5F485F462E7A77FADE7E0CB632FAF632E163622815B9E90A |
SHA-512: | 44675DEE84800CB84AF65A707D491C88E99DAF3CC7AADC9F8BF4D2DAECE69D02243BA29131D89AB6F46D3E9BF7482831C3CE3264277F38A731B63891FF377605 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1527528 |
Entropy (8bit): | 6.6753627354933744 |
Encrypted: | false |
SSDEEP: | 24576:+JOglUaWQcgBX4pa4SLLsQ+VWiDx6F/kvXTG860PvmeCI:+kyWEBi0Q7WiZXTLPueCI |
MD5: | 406649A8EBDBEE64943B69C2B49248C8 |
SHA1: | 03D2BC4FA3335ED2790E9DEB2683C193BC93FF14 |
SHA-256: | 04F0B3427F1C9B374BD1266ACAB80EB5C763F4196E4ACDDE195AD79396BF5D5B |
SHA-512: | FBD7F6AEC8B84C22E9DB3B14CC3E1E3AA22FA03A16296B4185EEA1FF2343DDB449A8CEF580870942FDA8B25276A314E6722A811CD6C451A8ACC8C80A2BA021A5 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4311160 |
Entropy (8bit): | 7.980526290879143 |
Encrypted: | false |
SSDEEP: | 98304:IUhXP8QOfBY4E85J1s6S0HIte1adV2tvXG2RWUGT2/zpexUhqG:XhXP89J02G/FQUdEvXFTrpphqG |
MD5: | A6A41878AED135EBC51B899EE57F81BD |
SHA1: | 7E3988FFCB7DCE02031B2EB65BEFA968D94E18B9 |
SHA-256: | C7D28D502B476388E14F362A209D6F4BBD7E7DA993725A9166AFA746814C6942 |
SHA-512: | 3D692AC2711D4A02F5D481F763C3B0706A18683426A02E3461E677804DFB238BAF97666137C7F869B613AA510FDC5A04EFD2425B914BD23A113D8C1791C8DA6C |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1096224 |
Entropy (8bit): | 6.826758378910142 |
Encrypted: | false |
SSDEEP: | 12288:qB613t1V9A+Tac0RDffXJjyYp88oNHSy5viczGMwP2FC1Wf3VfXJjyNpor:UG1k+2DR7BWYp88o44HP9BWNpor |
MD5: | 90B27B057D16422ACED7DBF4CF8995AA |
SHA1: | 0DE3BDE3E1DFA1CAD7363F8091242121BC71A5DA |
SHA-256: | 97147A56EB2B9A9DC60F149AE574531FB22E39B9C820F2E2A3E0AF38D56BF1DC |
SHA-512: | FAB574629B5028ABB290788AF35CFBE16A7DA617FBFE198634C07B7B2D7BAAA9BF8BDDEBC3A431D0357B3303BF118A43DC02E766E6049571E8A054464F5349D6 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1852343 |
Entropy (8bit): | 7.992987797929006 |
Encrypted: | true |
SSDEEP: | 49152:8fPgbXOkVdIH8r1c1DitzO+GkXVWJoJz3:j6+dIH8r1YKi+G4VOE7 |
MD5: | 1A6CB299E629634260182F26F7C0661F |
SHA1: | 851BDB0768062380951A6C429DE9D0497649AE76 |
SHA-256: | B4419DBDB3A5417AE9E39037B5AF1FE075FCAD656C12E1D8C5B822EEA6E72C19 |
SHA-512: | FC85211C8C16CB5AC0C36FEFF7273FA40A9D2C040B9CE6F5C2B5D9ABFABEC1CE21619B15E73863E67E5D18E4521018C9EFC287908E4B2F4D1F96AC29DC414FA2 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2928656 |
Entropy (8bit): | 7.801050631407657 |
Encrypted: | false |
SSDEEP: | 49152:ItR906umMr2gLi03MyyrDDfaDXT/51tS7+3ICGd50ygYi5e6I2apCT:It30rmhQp3MxnaDXTj94PdClDOe |
MD5: | 146EA26DF8192F1E0DC560E292270461 |
SHA1: | C01148F924CC878885F760FB3F8DAFBA5D3BFCCD |
SHA-256: | CD06EC5230853CB39C9786B680FDA7A0755673E9F21339C0DC7AF6A9B2D2BAD7 |
SHA-512: | 624A4C945A8528CC141C7B1A3C3F158457508E71BC457A5F154AAC2DDC118B74D8BA2E8E0F72284D69E8B2854674594193ADA2E4956F6A6161F8A281F1CBA1F1 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4758456 |
Entropy (8bit): | 7.9868993000639845 |
Encrypted: | false |
SSDEEP: | 98304:EIztAOnrDbONTcfRkAtNpf3oGEUa1E0roN0fcDUcfHySM:piOHscGINSGEUa1pa00DUlSM |
MD5: | E4E292C563B51EB8AC526103A736AA9F |
SHA1: | 52CEDF2CCBE9816DD71E25785F3C227C88A97E82 |
SHA-256: | 8699D7890F44CA0A7FA44796886DD9129D2F621D15E78043667D7A8E297F4908 |
SHA-512: | DA0B5F202A774133914C2C85598F27FE46DEB5520C533F030B9DC4FE89C6CA66B4143D826E13206070B82C6F50124F5879B12D25CCB3B170AFEE61C4EE39C050 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6100183 |
Entropy (8bit): | 7.970907477115673 |
Encrypted: | false |
SSDEEP: | 98304:5RumfOlbeaEnjdEqiPR6ppmLAnjbg8iFoCKjYjtgCVnZrdVmDJiFq9kg22LU:5Ru9Ve9xEqM6Hm2bg8kKCRFmDJIikx |
MD5: | 50CC3FC19ED36031A5B9A49365DFC6BF |
SHA1: | 51032E78848970154558690C4B76D2E6C017143B |
SHA-256: | 16BC5778331435D0CB76A9ABD49933BA64B09F79B5C0151AD1DA3192B78159CC |
SHA-512: | 73B02C2F13BDF9DFF99ED3F9DF3F2C376BED80FD471430111AFD414CAC27CAD21DBE4EE20FBD78F9E63C354FFA47E4AE23396E41723C7A9076D25D33A680FC43 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 411229 |
Entropy (8bit): | 6.71411131429597 |
Encrypted: | false |
SSDEEP: | 6144:s1eE0EVdcrCZPTlQU7NlTsCdASeMZlrATFCGgcydE4ktEjL7e9ZOAhhK:5Enc8PThlTzlZJATFGdSAYE |
MD5: | 2BF457117F9FA04E13B9F2C8B90AF971 |
SHA1: | 7143EEAB861D2FE155FDEA658635CBC922BEA3C1 |
SHA-256: | F1AED998EA3CF49D090F3865EA990601A44C17D3353387B0B3E1892F2F4D06AD |
SHA-512: | D0A5076C85DAE0BB2DC2D9B937B6A77AD97ACDC710667E87CAADD47917989CEF70FA2EC5E2002C5D0D49C75EB43966C9C0D595DFAD25C467770C8A8E2685DF1E |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1527528 |
Entropy (8bit): | 6.6753627354933744 |
Encrypted: | false |
SSDEEP: | 24576:+JOglUaWQcgBX4pa4SLLsQ+VWiDx6F/kvXTG860PvmeCI:+kyWEBi0Q7WiZXTLPueCI |
MD5: | 406649A8EBDBEE64943B69C2B49248C8 |
SHA1: | 03D2BC4FA3335ED2790E9DEB2683C193BC93FF14 |
SHA-256: | 04F0B3427F1C9B374BD1266ACAB80EB5C763F4196E4ACDDE195AD79396BF5D5B |
SHA-512: | FBD7F6AEC8B84C22E9DB3B14CC3E1E3AA22FA03A16296B4185EEA1FF2343DDB449A8CEF580870942FDA8B25276A314E6722A811CD6C451A8ACC8C80A2BA021A5 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2133356 |
Entropy (8bit): | 7.958858034406502 |
Encrypted: | false |
SSDEEP: | 49152:hEm1GGw/Zh77JiahbzAhYvyBgNJNAh6gc+h66Jku9ZpD+V+sYogi6u:hESIRhhikzvyGNJNAh6gl66j7snVR |
MD5: | CE1B25AFC637CD65CA2073ED4CAA0F89 |
SHA1: | DF63FFF356F10CC91817C287C155A2936603DBE2 |
SHA-256: | FB11CDF43004A2501A8A550D333127C0076FEE06C4D7764A9EDCE100158C9874 |
SHA-512: | E546CB491563F4744971656D0FA0D989132BCED70B62620A7A569F22BE3A61892E15A64B47B7DAB814D2EE0963CF3141A1322E6608A5501AC0458DD877EB1328 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6603672 |
Entropy (8bit): | 7.865075735815504 |
Encrypted: | false |
SSDEEP: | 196608:NAytnH/3fbFaZtxD+snNf+TNa7QXaVHMeq6R9dTa27:iyt3OUZEfHMidH |
MD5: | 5015AF231898F219B9449875055BD991 |
SHA1: | 8776F311ACBB9AD29B7AF7C5B1ACCDAB33AB3166 |
SHA-256: | DA90259734B79DFA1DC1BB104B0099DC16831B42A3D27BB4397C48E879577455 |
SHA-512: | B94B81BA856E3F6CB4703BB8CAAA62FC5A91F4227BC984E30A75811D86AC13BCD66593219C6282141141ED186F331FCE87494EC0196D35E35147DA7859FA9AA1 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1095248 |
Entropy (8bit): | 7.3847854536731194 |
Encrypted: | false |
SSDEEP: | 24576:Z+8FYDQIdsIi3ZVmrdZvGk6Vl5WCu36ivyh9cuiJh/G5L73oH:YtuZERsk6n5WCQLucq3oH |
MD5: | 839A48C3AFC914A5627B5F68D5332AFF |
SHA1: | CA8E9D49A598AD614E8861E31DDCECCA3C8ABB4A |
SHA-256: | 4F856B9B0940C7627CC13329E5B9B99A21EDD1AB466DABD53241077C0F6353D2 |
SHA-512: | ED699354E851860F62C113F0F419C61D95395E3FB8F441C9BEC7A3F47CE2449930B23627463284E00B8D536A1F9C576C5956DD4555343C3179F73B5C1FE87D00 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3275912 |
Entropy (8bit): | 6.704682677119929 |
Encrypted: | false |
SSDEEP: | 49152:RI01naSsx4G5NT+NLHBTkBGm5sebVCfT9TT6S0mxf+Q0d:bG5NKN6nh86Lmxfyd |
MD5: | 3909D43C55B62C3AC16D2843A63F857B |
SHA1: | A6879E7DB07033B7908D34DA720C39A45613EEE5 |
SHA-256: | A7D833EEE668FBB9EC815B71845A3C434E77AE3CF7ECCD91C60C3F109C5181E1 |
SHA-512: | 9978946EB01CDB898C915D77A7D1818A2B17C7C851D07432FA667E80C1F19F35F057150E9822B3A0E4DD6706C6C79E835479487662339FEF08C0A0B09E0521A0 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2928656 |
Entropy (8bit): | 7.801050631407657 |
Encrypted: | false |
SSDEEP: | 49152:ItR906umMr2gLi03MyyrDDfaDXT/51tS7+3ICGd50ygYi5e6I2apCT:It30rmhQp3MxnaDXTj94PdClDOe |
MD5: | 146EA26DF8192F1E0DC560E292270461 |
SHA1: | C01148F924CC878885F760FB3F8DAFBA5D3BFCCD |
SHA-256: | CD06EC5230853CB39C9786B680FDA7A0755673E9F21339C0DC7AF6A9B2D2BAD7 |
SHA-512: | 624A4C945A8528CC141C7B1A3C3F158457508E71BC457A5F154AAC2DDC118B74D8BA2E8E0F72284D69E8B2854674594193ADA2E4956F6A6161F8A281F1CBA1F1 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 411229 |
Entropy (8bit): | 6.71411131429597 |
Encrypted: | false |
SSDEEP: | 6144:s1eE0EVdcrCZPTlQU7NlTsCdASeMZlrATFCGgcydE4ktEjL7e9ZOAhhK:5Enc8PThlTzlZJATFGdSAYE |
MD5: | 2BF457117F9FA04E13B9F2C8B90AF971 |
SHA1: | 7143EEAB861D2FE155FDEA658635CBC922BEA3C1 |
SHA-256: | F1AED998EA3CF49D090F3865EA990601A44C17D3353387B0B3E1892F2F4D06AD |
SHA-512: | D0A5076C85DAE0BB2DC2D9B937B6A77AD97ACDC710667E87CAADD47917989CEF70FA2EC5E2002C5D0D49C75EB43966C9C0D595DFAD25C467770C8A8E2685DF1E |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 2170952 |
Entropy (8bit): | 6.555833138686776 |
Encrypted: | false |
SSDEEP: | 49152:kMLPHrldaIVplxcLm3J4Xn1syCZA/zIWTm2bB5XTAndMQJIV4y:S6vh2bzcndjoj |
MD5: | 7D81D10AA526A9F85DC4C4670AD7BDB3 |
SHA1: | 9F9AF5D9E70D901065104FE07291FB2354793ECE |
SHA-256: | 70CDA5C9A8095D618F96B3BA330892A7A902CDCD9F9530E82F9CB6DCA5B8AC89 |
SHA-512: | CE4C62D235FA3A23E93508D5F2F7157A45159F1C5DD6DCB24E6FE1ED9FC6F0D4AD8B5884A2304A58B2D56DF57E9CADDD206F512AC8E518E93A3CC46506A34E80 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 240343 |
Entropy (8bit): | 6.49164314704198 |
Encrypted: | false |
SSDEEP: | 6144:8sSk7Ct4W8i5u9kKvYwVOX6IrO6rZpbeGI3:BSx8iwkKvh86dQZpb7I3 |
MD5: | 57A0F4852EDDD8D4203B59FA9897DD21 |
SHA1: | B52B42AED913CCB7F53221B2EBD3382BE00D472E |
SHA-256: | E7BBB4E10E44963ECD55ADB434CDFEB2096068D3A8CC0D82F2FCC7CFB8673CB6 |
SHA-512: | F5A52F8992BD238D75B12E52932C5531A3382C31FC8EFFEDCA4EAC5420F30DF8A9B7D744AFD548F723EDF71074192117B8A0956C85F6624CC8C7889B4C669DD7 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 4311160 |
Entropy (8bit): | 7.980526290879143 |
Encrypted: | false |
SSDEEP: | 98304:IUhXP8QOfBY4E85J1s6S0HIte1adV2tvXG2RWUGT2/zpexUhqG:XhXP89J02G/FQUdEvXFTrpphqG |
MD5: | A6A41878AED135EBC51B899EE57F81BD |
SHA1: | 7E3988FFCB7DCE02031B2EB65BEFA968D94E18B9 |
SHA-256: | C7D28D502B476388E14F362A209D6F4BBD7E7DA993725A9166AFA746814C6942 |
SHA-512: | 3D692AC2711D4A02F5D481F763C3B0706A18683426A02E3461E677804DFB238BAF97666137C7F869B613AA510FDC5A04EFD2425B914BD23A113D8C1791C8DA6C |
Malicious: | true |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.99671009739063 |
TrID: |
|
File name: | hGlhyegaG6.exe |
File size: | 33'266'825 bytes |
MD5: | 7915b71dd31bd2c6f7a6bba943525920 |
SHA1: | 0eda1ff79008761704bf522162accb687894a965 |
SHA256: | baf42171b1fc708641b1214b78090ff6b95c2f1dfcc3789b322831b5b811eb9d |
SHA512: | 547105439ab77dee34dec4cf4c2d1e92c47b2e431907eda479f3d85f10ac22be024bb5421d36447f4a79f8f861d5573ebbcb67414620e97c7315f2b85597e195 |
SSDEEP: | 786432:Ivr1A/grfvGnjcELFbyzrtWiDdctmqqeq/dWqC/AIq:I1Q4W3UtPDdSq/aoJ |
TLSH: | 387733237287E53EE56E0B3605B2B21944FF7661A422BD26CBF444BCCF264905F2D74A |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | f0ccf4d4ccecf871 |
Entrypoint: | 0x4a83bc |
Entrypoint Section: | .itext |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6690DABD [Fri Jul 12 07:26:53 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | 40ab50289f7ef5fae60801f88d4541fc |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFA4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-3Ch], eax |
mov dword ptr [ebp-40h], eax |
mov dword ptr [ebp-5Ch], eax |
mov dword ptr [ebp-30h], eax |
mov dword ptr [ebp-38h], eax |
mov dword ptr [ebp-34h], eax |
mov dword ptr [ebp-2Ch], eax |
mov dword ptr [ebp-28h], eax |
mov dword ptr [ebp-14h], eax |
mov eax, 004A2EBCh |
call 00007F57D0651D95h |
xor eax, eax |
push ebp |
push 004A8AC1h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 004A8A7Bh |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [004B0634h] |
call 00007F57D06E371Bh |
call 00007F57D06E326Eh |
lea edx, dword ptr [ebp-14h] |
xor eax, eax |
call 00007F57D06DDF48h |
mov edx, dword ptr [ebp-14h] |
mov eax, 004B41F4h |
call 00007F57D064BE43h |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [004B41F4h] |
mov dl, 01h |
mov eax, dword ptr [0049CD14h] |
call 00007F57D06DF273h |
mov dword ptr [004B41F8h], eax |
xor edx, edx |
push ebp |
push 004A8A27h |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
call 00007F57D06E37A3h |
mov dword ptr [004B4200h], eax |
mov eax, dword ptr [004B4200h] |
cmp dword ptr [eax+0Ch], 01h |
jne 00007F57D06EA48Ah |
mov eax, dword ptr [004B4200h] |
mov edx, 00000028h |
call 00007F57D06DFB68h |
mov edx, dword ptr [004B4200h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xb7000 | 0x71 | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb5000 | 0xfec | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xcb000 | 0x13d7c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xba000 | 0x10fa8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xb9000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xb52d4 | 0x25c | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0xb6000 | 0x1a4 | .didata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa568c | 0xa5800 | b889d302f6fc48a904de33d8d947ae80 | False | 0.3620185045317221 | data | 6.377190161826806 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.itext | 0xa7000 | 0x1b64 | 0x1c00 | 588dd0a8ab499300d3701cbd11b017d9 | False | 0.548828125 | data | 6.109264411030635 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0xa9000 | 0x3838 | 0x3a00 | 5c0c76e77aef52ebc6702430837ccb6e | False | 0.35338092672413796 | data | 4.95916338709992 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0xad000 | 0x7258 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xb5000 | 0xfec | 0x1000 | 627340dff539ef99048969aa4824fb2d | False | 0.380615234375 | data | 5.020404933181373 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didata | 0xb6000 | 0x1a4 | 0x200 | fd11c1109737963cc6cb7258063abfd6 | False | 0.34765625 | data | 2.729290535217263 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.edata | 0xb7000 | 0x71 | 0x200 | 7de8ca0c7a61668a728fd3a88dc0942d | False | 0.1796875 | data | 1.305578535725827 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.tls | 0xb8000 | 0x18 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xb9000 | 0x5d | 0x200 | d84006640084dc9f74a07c2ff9c7d656 | False | 0.189453125 | data | 1.3892750148744617 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xba000 | 0x10fa8 | 0x11000 | a85fda2741bd9417695daa5fc5a9d7a5 | False | 0.5789579503676471 | data | 6.709466460182023 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0xcb000 | 0x13d7c | 0x13e00 | bcf1d506b69abcd88579fe6d65479c17 | False | 0.5466784591194969 | data | 6.5279729599424385 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xcb438 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536 | English | United States | 0.5932213415355495 |
RT_STRING | 0xdbc60 | 0x3f8 | data | 0.3198818897637795 | ||
RT_STRING | 0xdc058 | 0x2dc | data | 0.36475409836065575 | ||
RT_STRING | 0xdc334 | 0x430 | data | 0.40578358208955223 | ||
RT_STRING | 0xdc764 | 0x44c | data | 0.38636363636363635 | ||
RT_STRING | 0xdcbb0 | 0x2d4 | data | 0.39226519337016574 | ||
RT_STRING | 0xdce84 | 0xb8 | data | 0.6467391304347826 | ||
RT_STRING | 0xdcf3c | 0x9c | data | 0.6410256410256411 | ||
RT_STRING | 0xdcfd8 | 0x374 | data | 0.4230769230769231 | ||
RT_STRING | 0xdd34c | 0x398 | data | 0.3358695652173913 | ||
RT_STRING | 0xdd6e4 | 0x368 | data | 0.3795871559633027 | ||
RT_STRING | 0xdda4c | 0x2a4 | data | 0.4275147928994083 | ||
RT_RCDATA | 0xddcf0 | 0x10 | data | 1.5 | ||
RT_RCDATA | 0xddd00 | 0x310 | data | 0.6173469387755102 | ||
RT_RCDATA | 0xde010 | 0x2c | data | 1.1818181818181819 | ||
RT_GROUP_ICON | 0xde03c | 0x14 | data | English | United States | 1.25 |
RT_VERSION | 0xde050 | 0x584 | data | English | United States | 0.24858356940509915 |
RT_MANIFEST | 0xde5d4 | 0x7a8 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.3377551020408163 |
DLL | Import |
---|---|
kernel32.dll | GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale |
comctl32.dll | InitCommonControls |
user32.dll | CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW |
oleaut32.dll | SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate |
advapi32.dll | ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey |
Name | Ordinal | Address |
---|---|---|
__dbk_fcall_wrapper | 2 | 0x40fc10 |
dbkFCallWrapperAddr | 1 | 0x4b063c |
Description | Data |
---|---|
Comments | This installation was built with Inno Setup. |
CompanyName | |
FileDescription | 7.2.15.3 Setup |
FileVersion | |
LegalCopyright | |
OriginalFileName | |
ProductName | 7.2.15.3 |
ProductVersion | 7.2.15.3 |
Translation | 0x0000 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
- Total Packets: 50
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 27, 2025 18:21:34.891890049 CET | 49733 | 443 | 192.168.2.4 | 2.19.11.98 |
Feb 27, 2025 18:21:34.891918898 CET | 443 | 49733 | 2.19.11.98 | 192.168.2.4 |
Feb 27, 2025 18:21:34.891998053 CET | 49733 | 443 | 192.168.2.4 | 2.19.11.98 |
Feb 27, 2025 18:21:34.919771910 CET | 49733 | 443 | 192.168.2.4 | 2.19.11.98 |
Feb 27, 2025 18:21:34.919791937 CET | 443 | 49733 | 2.19.11.98 | 192.168.2.4 |
Feb 27, 2025 18:21:35.636918068 CET | 443 | 49733 | 2.19.11.98 | 192.168.2.4 |
Feb 27, 2025 18:21:35.636996984 CET | 49733 | 443 | 192.168.2.4 | 2.19.11.98 |
Feb 27, 2025 18:21:35.637844086 CET | 443 | 49733 | 2.19.11.98 | 192.168.2.4 |
Feb 27, 2025 18:21:35.637902975 CET | 49733 | 443 | 192.168.2.4 | 2.19.11.98 |
Feb 27, 2025 18:21:35.648960114 CET | 49733 | 443 | 192.168.2.4 | 2.19.11.98 |
Feb 27, 2025 18:21:35.648971081 CET | 443 | 49733 | 2.19.11.98 | 192.168.2.4 |
Feb 27, 2025 18:21:35.649194002 CET | 443 | 49733 | 2.19.11.98 | 192.168.2.4 |
Feb 27, 2025 18:21:35.652545929 CET | 49733 | 443 | 192.168.2.4 | 2.19.11.98 |
Feb 27, 2025 18:21:35.695329905 CET | 443 | 49733 | 2.19.11.98 | 192.168.2.4 |
Feb 27, 2025 18:21:35.897948980 CET | 443 | 49733 | 2.19.11.98 | 192.168.2.4 |
Feb 27, 2025 18:21:35.898173094 CET | 443 | 49733 | 2.19.11.98 | 192.168.2.4 |
Feb 27, 2025 18:21:35.898241043 CET | 49733 | 443 | 192.168.2.4 | 2.19.11.98 |
Feb 27, 2025 18:21:35.905026913 CET | 49733 | 443 | 192.168.2.4 | 2.19.11.98 |
Feb 27, 2025 18:21:35.905062914 CET | 443 | 49733 | 2.19.11.98 | 192.168.2.4 |
Feb 27, 2025 18:21:36.981259108 CET | 49734 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:36.981281042 CET | 443 | 49734 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:36.981384039 CET | 49734 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:36.982131958 CET | 49735 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:36.982181072 CET | 443 | 49735 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:36.982253075 CET | 49735 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:36.982615948 CET | 49734 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:36.982631922 CET | 443 | 49734 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:36.982647896 CET | 49735 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:36.982669115 CET | 443 | 49735 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:36.997062922 CET | 49736 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:36.997085094 CET | 443 | 49736 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:36.997149944 CET | 49736 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:36.997514009 CET | 49736 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:36.997528076 CET | 443 | 49736 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.027621031 CET | 49737 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.027653933 CET | 443 | 49737 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.027745008 CET | 49737 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.028078079 CET | 49737 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.028093100 CET | 443 | 49737 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.460535049 CET | 443 | 49735 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.460608006 CET | 49735 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.461105108 CET | 443 | 49736 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.461168051 CET | 49736 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.463452101 CET | 49735 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.463463068 CET | 443 | 49735 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.463879108 CET | 443 | 49735 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.464469910 CET | 49736 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.464479923 CET | 443 | 49736 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.464864016 CET | 443 | 49736 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.464925051 CET | 49735 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.465536118 CET | 49736 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.472111940 CET | 443 | 49734 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.472232103 CET | 49734 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.474076986 CET | 49734 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.474087000 CET | 443 | 49734 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.474385977 CET | 443 | 49734 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.475018978 CET | 49734 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.507334948 CET | 443 | 49736 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.507337093 CET | 443 | 49735 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.510499001 CET | 443 | 49737 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.510706902 CET | 49737 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.515331030 CET | 443 | 49734 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.525537968 CET | 49737 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.525563955 CET | 443 | 49737 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.525825977 CET | 443 | 49737 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.539061069 CET | 49737 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.579339981 CET | 443 | 49737 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.585026979 CET | 443 | 49735 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.585278988 CET | 443 | 49735 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.585335970 CET | 49735 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.585829973 CET | 443 | 49736 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.585916996 CET | 443 | 49736 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.585961103 CET | 49736 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.589631081 CET | 49735 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.589648962 CET | 443 | 49735 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.601927996 CET | 443 | 49734 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.601994991 CET | 443 | 49734 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.602041960 CET | 49734 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.625334024 CET | 49734 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:37.625349998 CET | 443 | 49734 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.665874004 CET | 443 | 49737 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.665942907 CET | 443 | 49737 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:37.666001081 CET | 49737 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:38.008590937 CET | 49737 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:38.008627892 CET | 443 | 49737 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:38.168984890 CET | 49736 | 443 | 192.168.2.4 | 34.117.223.223 |
Feb 27, 2025 18:21:38.169024944 CET | 443 | 49736 | 34.117.223.223 | 192.168.2.4 |
Feb 27, 2025 18:21:42.199063063 CET | 60676 | 53 | 192.168.2.4 | 1.1.1.1 |
Feb 27, 2025 18:21:42.204165936 CET | 53 | 60676 | 1.1.1.1 | 192.168.2.4 |
Feb 27, 2025 18:21:42.204237938 CET | 60676 | 53 | 192.168.2.4 | 1.1.1.1 |
Feb 27, 2025 18:21:42.209434986 CET | 53 | 60676 | 1.1.1.1 | 192.168.2.4 |
Feb 27, 2025 18:21:42.653676033 CET | 60676 | 53 | 192.168.2.4 | 1.1.1.1 |
Feb 27, 2025 18:21:42.658864021 CET | 53 | 60676 | 1.1.1.1 | 192.168.2.4 |
Feb 27, 2025 18:21:42.658941984 CET | 60676 | 53 | 192.168.2.4 | 1.1.1.1 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 27, 2025 18:21:34.865267992 CET | 56675 | 53 | 192.168.2.4 | 1.1.1.1 |
Feb 27, 2025 18:21:34.874691010 CET | 53 | 56675 | 1.1.1.1 | 192.168.2.4 |
Feb 27, 2025 18:21:36.973237038 CET | 56679 | 53 | 192.168.2.4 | 1.1.1.1 |
Feb 27, 2025 18:21:36.973237038 CET | 56678 | 53 | 192.168.2.4 | 1.1.1.1 |
Feb 27, 2025 18:21:36.980290890 CET | 53 | 56679 | 1.1.1.1 | 192.168.2.4 |
Feb 27, 2025 18:21:36.980874062 CET | 53 | 56678 | 1.1.1.1 | 192.168.2.4 |
Feb 27, 2025 18:21:36.988529921 CET | 56682 | 53 | 192.168.2.4 | 1.1.1.1 |
Feb 27, 2025 18:21:36.996118069 CET | 53 | 56682 | 1.1.1.1 | 192.168.2.4 |
Feb 27, 2025 18:21:37.019887924 CET | 56684 | 53 | 192.168.2.4 | 1.1.1.1 |
Feb 27, 2025 18:21:37.026649952 CET | 53 | 56684 | 1.1.1.1 | 192.168.2.4 |
Feb 27, 2025 18:21:42.198699951 CET | 53 | 64666 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Feb 27, 2025 18:21:34.865267992 CET | 192.168.2.4 | 1.1.1.1 | 0x7580 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Feb 27, 2025 18:21:36.973237038 CET | 192.168.2.4 | 1.1.1.1 | 0x964f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Feb 27, 2025 18:21:36.973237038 CET | 192.168.2.4 | 1.1.1.1 | 0x3c8a | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Feb 27, 2025 18:21:36.988529921 CET | 192.168.2.4 | 1.1.1.1 | 0x4cd4 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Feb 27, 2025 18:21:37.019887924 CET | 192.168.2.4 | 1.1.1.1 | 0x4d1f | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Feb 27, 2025 18:21:34.874691010 CET | 1.1.1.1 | 192.168.2.4 | 0x7580 | No error (0) | s-overseer.avcdn.net.akamaized.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:34.874691010 CET | 1.1.1.1 | 192.168.2.4 | 0x7580 | No error (0) | a366.dscd.akamai.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:34.874691010 CET | 1.1.1.1 | 192.168.2.4 | 0x7580 | No error (0) | 2.19.11.98 | A (IP address) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:34.874691010 CET | 1.1.1.1 | 192.168.2.4 | 0x7580 | No error (0) | 2.19.11.112 | A (IP address) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:36.980290890 CET | 1.1.1.1 | 192.168.2.4 | 0x964f | No error (0) | analytics.ff.avast.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:36.980290890 CET | 1.1.1.1 | 192.168.2.4 | 0x964f | No error (0) | analytics-prod-gcp.ff.avast.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:36.980290890 CET | 1.1.1.1 | 192.168.2.4 | 0x964f | No error (0) | 34.117.223.223 | A (IP address) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:36.980874062 CET | 1.1.1.1 | 192.168.2.4 | 0x3c8a | No error (0) | analytics-prod-gcp.ff.avast.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:36.980874062 CET | 1.1.1.1 | 192.168.2.4 | 0x3c8a | No error (0) | 34.117.223.223 | A (IP address) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:36.996118069 CET | 1.1.1.1 | 192.168.2.4 | 0x4cd4 | No error (0) | analytics.ff.avast.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:36.996118069 CET | 1.1.1.1 | 192.168.2.4 | 0x4cd4 | No error (0) | analytics-prod-gcp.ff.avast.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:36.996118069 CET | 1.1.1.1 | 192.168.2.4 | 0x4cd4 | No error (0) | 34.117.223.223 | A (IP address) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:37.026649952 CET | 1.1.1.1 | 192.168.2.4 | 0x4d1f | No error (0) | analytics-prod-gcp.ff.avast.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Feb 27, 2025 18:21:37.026649952 CET | 1.1.1.1 | 192.168.2.4 | 0x4d1f | No error (0) | 34.117.223.223 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49733 | 2.19.11.98 | 443 | 3992 | C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-02-27 17:21:35 UTC | 211 | OUT | |
2025-02-27 17:21:35 UTC | 430 | IN | |
2025-02-27 17:21:35 UTC | 868 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.4 | 49735 | 34.117.223.223 | 443 | 3992 | C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-02-27 17:21:37 UTC | 205 | OUT | |
2025-02-27 17:21:37 UTC | 402 | OUT | |
2025-02-27 17:21:37 UTC | 216 | IN | |
2025-02-27 17:21:37 UTC | 19 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.4 | 49736 | 34.117.223.223 | 443 | 3992 | C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-02-27 17:21:37 UTC | 246 | OUT | |
2025-02-27 17:21:37 UTC | 205 | OUT | |
2025-02-27 17:21:37 UTC | 172 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.4 | 49734 | 34.117.223.223 | 443 | 3992 | C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-02-27 17:21:37 UTC | 246 | OUT | |
2025-02-27 17:21:37 UTC | 204 | OUT | |
2025-02-27 17:21:37 UTC | 172 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.4 | 49737 | 34.117.223.223 | 443 | 3992 | C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-02-27 17:21:37 UTC | 205 | OUT | |
2025-02-27 17:21:37 UTC | 403 | OUT | |
2025-02-27 17:21:37 UTC | 216 | IN | |
2025-02-27 17:21:37 UTC | 19 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 12:21:27 |
Start date: | 27/02/2025 |
Path: | C:\Users\user\Desktop\hGlhyegaG6.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x8d0000 |
File size: | 33'266'825 bytes |
MD5 hash: | 7915B71DD31BD2C6F7A6BBA943525920 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 12:21:27 |
Start date: | 27/02/2025 |
Path: | C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc60000 |
File size: | 3'347'968 bytes |
MD5 hash: | 6E8DE531DFA6FFD065F93E3902A1CB51 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 12:21:33 |
Start date: | 27/02/2025 |
Path: | C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x140000000 |
File size: | 2'170'952 bytes |
MD5 hash: | 7D81D10AA526A9F85DC4C4670AD7BDB3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|