Windows
Analysis Report
GEwWDGafs9.exe
Overview
General Information
Sample name: | GEwWDGafs9.exerenamed because original name is a hash value |
Original sample name: | 1620529d44dd56fe7beb51b1dbc75fd6.exe |
Analysis ID: | 1647699 |
MD5: | 1620529d44dd56fe7beb51b1dbc75fd6 |
SHA1: | b300643e88ff98aff7d889fd8c15dbdac319ad27 |
SHA256: | 0c32fe825a579830125c18d53460860500723372977f20eb40121e687706447d |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 92 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
GEwWDGafs9.exe (PID: 6976 cmdline:
"C:\Users\ user\Deskt op\GEwWDGa fs9.exe" MD5: 1620529D44DD56FE7BEB51B1DBC75FD6) cmd.exe (PID: 6276 cmdline:
C:\Windows \system32\ cmd.exe /c start cmd /C "ping localhost -n 1 && st art C:\Use rs\user\Ap pData\Loca l\clip.exe " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 6184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 6420 cmdline:
cmd /C "pi ng localho st -n 1 && start C:\ Users\user \AppData\L ocal\clip. exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 6468 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) PING.EXE (PID: 4252 cmdline:
ping local host -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D) clip.exe (PID: 3676 cmdline:
C:\Users\u ser\AppDat a\Local\cl ip.exe MD5: 1620529D44DD56FE7BEB51B1DBC75FD6)
clip.exe (PID: 6652 cmdline:
"C:\Users\ user\AppDa ta\Local\c lip.exe" MD5: 1620529D44DD56FE7BEB51B1DBC75FD6)
clip.exe (PID: 4456 cmdline:
"C:\Users\ user\AppDa ta\Local\c lip.exe" MD5: 1620529D44DD56FE7BEB51B1DBC75FD6)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | ReversingLabs: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Process created: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | DNS query: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 0_2_00007FF65599BCC0 | |
Source: | Code function: | 0_2_00007FF65599B900 | |
Source: | Code function: | 0_2_00007FF65599B260 | |
Source: | Code function: | 0_2_00007FF65599BE60 | |
Source: | Code function: | 0_2_00007FF655995C40 | |
Source: | Code function: | 0_2_00007FF655997A40 | |
Source: | Code function: | 0_2_00007FF6559978A0 | |
Source: | Code function: | 0_2_00007FF65599CAA0 | |
Source: | Code function: | 0_2_00007FF65599F0A0 | |
Source: | Code function: | 0_2_00007FF655998E80 | |
Source: | Code function: | 0_2_00007FF65599EFE2 | |
Source: | Code function: | 0_2_00007FF65599BFF0 | |
Source: | Code function: | 0_2_00007FF655A329D0 | |
Source: | Code function: | 0_2_00007FF65599E400 | |
Source: | Code function: | 0_2_00007FF65599B760 | |
Source: | Code function: | 0_2_00007FF65599ED70 | |
Source: | Code function: | 0_2_00007FF65599A172 | |
Source: | Code function: | 0_2_00007FF655997740 | |
Source: | Code function: | 0_2_00007FF65599E540 | |
Source: | Code function: | 0_2_00007FF65599B5A0 | |
Source: | Code function: | 0_2_00007FF6559995A0 | |
Source: | Code function: | 0_2_00007FF65599A9B0 | |
Source: | Code function: | 0_2_00007FF655993780 | |
Source: | Code function: | 0_2_00007FF65599A180 | |
Source: | Code function: | 7_2_00007FF61EB9E400 | |
Source: | Code function: | 7_2_00007FF61EC329D0 | |
Source: | Code function: | 7_2_00007FF61EB9EFE2 | |
Source: | Code function: | 7_2_00007FF61EB9BFF0 | |
Source: | Code function: | 7_2_00007FF61EB93780 | |
Source: | Code function: | 7_2_00007FF61EB9A180 | |
Source: | Code function: | 7_2_00007FF61EB9B5A0 | |
Source: | Code function: | 7_2_00007FF61EB995A0 | |
Source: | Code function: | 7_2_00007FF61EB9A9B0 | |
Source: | Code function: | 7_2_00007FF61EB97740 | |
Source: | Code function: | 7_2_00007FF61EB9E540 | |
Source: | Code function: | 7_2_00007FF61EB9B760 | |
Source: | Code function: | 7_2_00007FF61EB9ED70 | |
Source: | Code function: | 7_2_00007FF61EB9A172 | |
Source: | Code function: | 7_2_00007FF61EB9B900 | |
Source: | Code function: | 7_2_00007FF61EB9BCC0 | |
Source: | Code function: | 7_2_00007FF61EB98E80 | |
Source: | Code function: | 7_2_00007FF61EB978A0 | |
Source: | Code function: | 7_2_00007FF61EB9CAA0 | |
Source: | Code function: | 7_2_00007FF61EB9F0A0 | |
Source: | Code function: | 7_2_00007FF61EB95C40 | |
Source: | Code function: | 7_2_00007FF61EB97A40 | |
Source: | Code function: | 7_2_00007FF61EB9B260 | |
Source: | Code function: | 7_2_00007FF61EB9BE60 |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF655998313 | |
Source: | Code function: | 0_2_00007FF655998313 | |
Source: | Code function: | 7_2_00007FF61EB98313 | |
Source: | Code function: | 7_2_00007FF61EB98313 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Malware Analysis System Evasion |
---|
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00007FF655991330 |
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging |
---|
Source: | Code function: | 0_2_00007FF655991330 | |
Source: | Code function: | 0_2_00007FF655991380 | |
Source: | Code function: | 7_2_00007FF61EB91380 | |
Source: | Code function: | 7_2_00007FF61EB91330 |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Code function: | 0_2_00007FF655991330 |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00007FF655B17304 |
Stealing of Sensitive Information |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 Registry Run Keys / Startup Folder | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Registry Run Keys / Startup Folder | 3 Virtualization/Sandbox Evasion | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 11 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 3 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | 3 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 System Network Configuration Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 12 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
42% | Virustotal | Browse | ||
72% | ReversingLabs | Win64.Trojan.Generic |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
72% | ReversingLabs | Win64.Trojan.Generic |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware | ||
100% | Avira URL Cloud | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
raw.githubusercontent.com | 185.199.109.133 | true | false | high | |
ip-api.com | 208.95.112.1 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high | ||
false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.208.159.226 | unknown | Switzerland | 34888 | SIMPLECARRER2IT | false | |
208.95.112.1 | ip-api.com | United States | 53334 | TUT-ASUS | false | |
185.199.109.133 | raw.githubusercontent.com | Netherlands | 54113 | FASTLYUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1647699 |
Start date and time: | 2025-03-25 07:25:33 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 26s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 20 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | GEwWDGafs9.exerenamed because original name is a hash value |
Original Sample Name: | 1620529d44dd56fe7beb51b1dbc75fd6.exe |
Detection: | MAL |
Classification: | mal92.troj.spyw.evad.winEXE@13/9@2/3 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, sppsvc.exe, SIHCli ent.exe, SgrmBroker.exe, conho st.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 20.109.210.53, 23. 204.23.20 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, slscr.update.microsoft.com , ctldl.windowsupdate.com, c.p ki.goog, fe3cr.delivery.mp.mic rosoft.com - Execution Graph export aborted
for target GEwWDGafs9.exe, PI D 6976 because there are no ex ecuted function - Execution Graph export aborted
for target clip.exe, PID 3676 because there are no executed function - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
02:27:19 | API Interceptor | |
07:26:28 | Autostart | |
07:26:37 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
185.208.159.226 | Get hash | malicious | Clipboard Hijacker | Browse |
| |
Get hash | malicious | Clipboard Hijacker | Browse |
| ||
208.95.112.1 | Get hash | malicious | XWorm | Browse |
| |
Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Kdot Stealer | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer, RedLine | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
185.199.109.133 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Metasploit | Browse |
| ||
Get hash | malicious | AsyncRAT, XWorm | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
raw.githubusercontent.com | Get hash | malicious | Nanocore | Browse |
| |
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | LummaC Stealer, Salat Stealer | Browse |
| ||
Get hash | malicious | Quasar | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
ip-api.com | Get hash | malicious | XWorm | Browse |
| |
Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Kdot Stealer | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer, RedLine | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
FASTLYUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Nanocore | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
TUT-ASUS | Get hash | malicious | XWorm | Browse |
| |
Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Kdot Stealer | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer, RedLine | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
SIMPLECARRER2IT | Get hash | malicious | Amadey | Browse |
| |
Get hash | malicious | Amadey | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | RHADAMANTHYS | Browse |
| ||
Get hash | malicious | Clipboard Hijacker | Browse |
| ||
Get hash | malicious | Sliver | Browse |
| ||
Get hash | malicious | Clipboard Hijacker | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Remcos, GuLoader | Browse |
| |
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | LummaC Stealer, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
|
Process: | C:\Users\user\Desktop\GEwWDGafs9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 21 |
Entropy (8bit): | 3.010434089033337 |
Encrypted: | false |
SSDEEP: | 3:EQj7UFXDf/:EQnUtDf/ |
MD5: | 92D65DE01D0749FDA422A3CA9DFFD46B |
SHA1: | 59D246850168572359D67DAE5F246C4CF9C4D3E5 |
SHA-256: | F6AFFEFD5085E01E46FD3EAF216AF82D28E475A581D263554A7959A26217F2A4 |
SHA-512: | 29B24409B9D2F74C9F679FF10266A3D8790800A0E8F9C0D3C622FBA4E8B867F31C3B1BD1E79DFEF94471143FC57B27528B1A9808BCC4ABEFD8CE28DDF1F10DB1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\clip.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 5 |
Entropy (8bit): | 1.9219280948873623 |
Encrypted: | false |
SSDEEP: | 3:6:6 |
MD5: | A01AB5C0FF81A60B7D1CEA84CC7DCB7A |
SHA1: | D0BC07EAB4BE33F0E19FF3F812AA27CDA3BE7CD0 |
SHA-256: | 53CD6B72987929CB8E78FCAD49CBACF653683D9E367C0EDB1925982229E91232 |
SHA-512: | F53AD574B732E638C54EE91725118639BC273CC1E0BFC5D46E332FDC2FBE29785AD29CF1FD72CF6095ECBF435D085826DA0DCD70249992BE11FB8C8DDB425E82 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\GEwWDGafs9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 5 |
Entropy (8bit): | 1.9219280948873623 |
Encrypted: | false |
SSDEEP: | 3:6:6 |
MD5: | A01AB5C0FF81A60B7D1CEA84CC7DCB7A |
SHA1: | D0BC07EAB4BE33F0E19FF3F812AA27CDA3BE7CD0 |
SHA-256: | 53CD6B72987929CB8E78FCAD49CBACF653683D9E367C0EDB1925982229E91232 |
SHA-512: | F53AD574B732E638C54EE91725118639BC273CC1E0BFC5D46E332FDC2FBE29785AD29CF1FD72CF6095ECBF435D085826DA0DCD70249992BE11FB8C8DDB425E82 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\clip.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 188 |
Entropy (8bit): | 5.274666513385075 |
Encrypted: | false |
SSDEEP: | 3:BztLQhNEmbWLcMLABPvrV2b0kEwAyQqZWzprdFlonuRcGdv1zprdFlo+Sfn:BZLQhNEmbG9LoB2oN11q+prdmecAprd2 |
MD5: | 1EA47DE0DA2E131CA0E18A1874B913E1 |
SHA1: | 3E2E37C22BF165F0FAEFA49A5B5A64A33F00B42F |
SHA-256: | 3F0F74E5E98DE77D0B4BB6D63DFC36546F7B8AD61734D535BB5CF8D75102A14D |
SHA-512: | 9BAC3A0B2A200DEC002165E25C7A78207AE433DB5D21D9CBDC8D589C4781A0C2E210FEE3BAF5EC093EED0E183F49E66D1432441065FB1008B5458AA7A20B70BB |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\clip.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 21 |
Entropy (8bit): | 3.010434089033337 |
Encrypted: | false |
SSDEEP: | 3:EQj7UFXDf/:EQnUtDf/ |
MD5: | 92D65DE01D0749FDA422A3CA9DFFD46B |
SHA1: | 59D246850168572359D67DAE5F246C4CF9C4D3E5 |
SHA-256: | F6AFFEFD5085E01E46FD3EAF216AF82D28E475A581D263554A7959A26217F2A4 |
SHA-512: | 29B24409B9D2F74C9F679FF10266A3D8790800A0E8F9C0D3C622FBA4E8B867F31C3B1BD1E79DFEF94471143FC57B27528B1A9808BCC4ABEFD8CE28DDF1F10DB1 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\GEwWDGafs9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 188 |
Entropy (8bit): | 5.274666513385075 |
Encrypted: | false |
SSDEEP: | 3:BztLQhNEmbWLcMLABPvrV2b0kEwAyQqZWzprdFlonuRcGdv1zprdFlo+Sfn:BZLQhNEmbG9LoB2oN11q+prdmecAprd2 |
MD5: | 1EA47DE0DA2E131CA0E18A1874B913E1 |
SHA1: | 3E2E37C22BF165F0FAEFA49A5B5A64A33F00B42F |
SHA-256: | 3F0F74E5E98DE77D0B4BB6D63DFC36546F7B8AD61734D535BB5CF8D75102A14D |
SHA-512: | 9BAC3A0B2A200DEC002165E25C7A78207AE433DB5D21D9CBDC8D589C4781A0C2E210FEE3BAF5EC093EED0E183F49E66D1432441065FB1008B5458AA7A20B70BB |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\clip.exe |
File Type: | |
Category: | modified |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\GEwWDGafs9.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3647488 |
Entropy (8bit): | 7.31524678352141 |
Encrypted: | false |
SSDEEP: | 49152:FmVwASOEGtlqCKIU6ingvS/U0eqGs1gTQJKDAbjRzFq5VYRVctpLMESh4Q1xorzg:2d+gBoFzoHEX9rDeHHhrX2ANMUN |
MD5: | 1620529D44DD56FE7BEB51B1DBC75FD6 |
SHA1: | B300643E88FF98AFF7D889FD8C15DBDAC319AD27 |
SHA-256: | 0C32FE825A579830125C18D53460860500723372977F20EB40121E687706447D |
SHA-512: | 918C8DAA0BD3B1C61C28A63CBD8A13740FBFE81DA731F94C9CD85D6A3E306A8C39499C00B8E1BEB2B4862949A35A607050A83E2C106449F88989BB47DBB13196 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\GEwWDGafs9.exe |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 7.31524678352141 |
TrID: |
|
File name: | GEwWDGafs9.exe |
File size: | 3'647'488 bytes |
MD5: | 1620529d44dd56fe7beb51b1dbc75fd6 |
SHA1: | b300643e88ff98aff7d889fd8c15dbdac319ad27 |
SHA256: | 0c32fe825a579830125c18d53460860500723372977f20eb40121e687706447d |
SHA512: | 918c8daa0bd3b1c61c28a63cbd8a13740fbfe81da731f94c9cd85d6a3e306a8c39499c00b8e1beb2b4862949a35a607050a83e2c106449f88989bb47dbb13196 |
SSDEEP: | 49152:FmVwASOEGtlqCKIU6ingvS/U0eqGs1gTQJKDAbjRzFq5VYRVctpLMESh4Q1xorzg:2d+gBoFzoHEX9rDeHHhrX2ANMUN |
TLSH: | EAF5D016B3A900E9D87BC13CD9964133E7F2B86917B0ABDB02A486751F237E15E3E741 |
File Content Preview: | MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................-...................................................................................a.......a...... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x140186b90 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x67DC11D4 [Thu Mar 20 13:02:12 2025 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 290b5b74ed388a2f4e81683b8fd40b54 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F96CCC26520h |
dec eax |
add esp, 28h |
jmp 00007F96CCC25C27h |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
dec eax |
mov ebx, ecx |
dec eax |
lea ecx, dword ptr [001E40ACh] |
call dword ptr [000397A6h] |
mov eax, dword ptr [001DD294h] |
dec eax |
lea ecx, dword ptr [001E4099h] |
mov edx, dword ptr [001E40B3h] |
inc eax |
mov dword ptr [001DD27Fh], eax |
mov dword ptr [ebx], eax |
dec eax |
mov eax, dword ptr [00000058h] |
inc ecx |
mov ecx, 00000004h |
dec esp |
mov eax, dword ptr [eax+edx*8] |
mov eax, dword ptr [001DD264h] |
inc ebx |
mov dword ptr [ecx+eax], eax |
call dword ptr [0003975Eh] |
dec eax |
lea ecx, dword ptr [001E4057h] |
dec eax |
add esp, 20h |
pop ebx |
dec eax |
jmp dword ptr [0003975Bh] |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
dec eax |
mov ebx, ecx |
dec eax |
lea ecx, dword ptr [001E4040h] |
call dword ptr [0003973Ah] |
cmp dword ptr [ebx], 00000000h |
jne 00007F96CCC25DD4h |
or dword ptr [ebx], FFFFFFFFh |
jmp 00007F96CCC25DF7h |
inc ebp |
xor ecx, ecx |
dec eax |
lea edx, dword ptr [001E4026h] |
inc ecx |
or eax, FFFFFFFFh |
dec eax |
lea ecx, dword ptr [001E4013h] |
call dword ptr [00039725h] |
jmp 00007F96CCC25D8Bh |
cmp dword ptr [ebx], FFFFFFFFh |
je 00007F96CCC25D90h |
dec eax |
mov eax, dword ptr [00000058h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x35fc7c | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x37e000 | 0x1e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x36d000 | 0x10d4c | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x37f000 | 0x5b54 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x349b40 | 0x70 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x349d80 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x349a00 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1c0000 | 0x5f0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1be1a8 | 0x1be200 | 951a2818cb35d888f0328c24228da5ca | False | 0.509161464170636 | data | 6.863597004168995 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x1c0000 | 0x1a1118 | 0x1a1200 | 63c0896633c5c28e53d61096ad78e931 | False | 0.806784607244531 | data | 7.4840729170019324 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x362000 | 0xa784 | 0x4400 | 8a1f892dad06a25a77fabdb68fc06bb6 | False | 0.21501608455882354 | data | 3.5834068164514687 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x36d000 | 0x10d4c | 0x10e00 | 64dfbe7fcbdd866b13f09b8faf1d2599 | False | 0.4862123842592593 | data | 6.133896963177395 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x37e000 | 0x1e0 | 0x200 | 8596ef18191b12d8e3bec098ab630c55 | False | 0.53125 | data | 4.7176788329467545 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x37f000 | 0x5b54 | 0x5c00 | 8375a0b81e17169769d398ecedce2451 | False | 0.27377717391304346 | data | 5.4476242894253515 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x37e060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
DLL | Import |
---|---|
KERNEL32.dll | CheckRemoteDebuggerPresent, GlobalMemoryStatusEx, SetFileAttributesA, GetSystemInfo, CloseHandle, GlobalAlloc, CreateFileA, OpenMutexA, CopyFileA, SetEndOfFile, WriteConsoleW, GetTimeZoneInformation, GetTempPathA, Sleep, CreateFileW, CreateMutexA, DeviceIoControl, WriteFile, GetCurrentProcess, GetModuleFileNameA, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, SetStdHandle, HeapSize, CreateProcessW, GetExitCodeProcess, WaitForSingleObject, HeapReAlloc, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetLastError, SetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetStdHandle, GetEnvironmentVariableW, GetFileType, GetModuleHandleW, GetProcAddress, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetCurrentThreadId, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleExW, RtlVirtualUnwind, DeleteFiber, WideCharToMultiByte, GetCurrentProcessId, GetSystemTimeAsFileTime, ConvertFiberToThread, FreeLibrary, LoadLibraryA, LoadLibraryW, FindClose, FindFirstFileW, FindNextFileW, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, RtlCaptureContext, RtlLookupFunctionEntry, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, LocalFree, FormatMessageA, GetLocaleInfoEx, GetCurrentDirectoryW, FindFirstFileExW, GetFileAttributesExW, GetFileInformationByHandle, GetFullPathNameW, SetFileInformationByHandle, AreFileApisANSI, GetFileInformationByHandleEx, TryAcquireSRWLockExclusive, WaitForSingleObjectEx, GetExitCodeThread, LCMapStringEx, InitializeCriticalSectionEx, EncodePointer, DecodePointer, CompareStringEx, GetCPInfo, GetStringTypeW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, ExitProcess, SetConsoleCtrlHandler, ReadFile, GetDriveTypeW, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetModuleFileNameW, GetCommandLineA, GetCommandLineW, GetFileSizeEx, SetFilePointerEx, HeapAlloc, FlushFileBuffers, GetConsoleOutputCP, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, RtlUnwind |
USER32.dll | GetClipboardData, EmptyClipboard, CloseClipboard, OpenClipboard, GetProcessWindowStation, SetClipboardData, GetClipboardSequenceNumber, GetUserObjectInformationW, MessageBoxW |
ADVAPI32.dll | CryptGetUserKey, CryptGetProvParam, CryptExportKey, CryptDecrypt, CryptCreateHash, CryptDestroyHash, CryptSignHashW, CryptEnumProvidersW, DeregisterEventSource, RegisterEventSourceW, ReportEventW, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, CryptSetHashParam, RegCreateKeyA, RegSetValueExA |
SHELL32.dll | ShellExecuteA |
bcrypt.dll | BCryptGenRandom |
WININET.dll | InternetOpenA, InternetCloseHandle, InternetReadFile, InternetOpenUrlA |
CRYPT32.dll | CertEnumCertificatesInStore, CertFindCertificateInStore, CertOpenStore, CertFreeCertificateContext, CertDuplicateCertificateContext, CertGetCertificateContextProperty, CertCloseStore |
WS2_32.dll | WSACleanup, WSAGetLastError, closesocket, recv, send, WSASetLastError |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Download Network PCAP: filtered – full
- Total Packets: 54
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 25, 2025 07:26:26.718952894 CET | 49682 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:26:26.813668966 CET | 80 | 49682 | 208.95.112.1 | 192.168.2.8 |
Mar 25, 2025 07:26:26.813771009 CET | 49682 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:26:26.815188885 CET | 49682 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:26:26.910465002 CET | 80 | 49682 | 208.95.112.1 | 192.168.2.8 |
Mar 25, 2025 07:26:26.910532951 CET | 49682 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:26:27.023761988 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:27.023819923 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:27.023881912 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:27.035331964 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:27.035367012 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:27.228266001 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:27.228384018 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:27.281060934 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:27.281085968 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:27.281407118 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:27.281476021 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:27.283377886 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:27.328320026 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:27.487737894 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:27.487863064 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:27.487903118 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:27.487932920 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:27.498131037 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:27.498155117 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:27.532895088 CET | 49684 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:26:27.721704960 CET | 8888 | 49684 | 185.208.159.226 | 192.168.2.8 |
Mar 25, 2025 07:26:27.721828938 CET | 49684 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:26:27.722089052 CET | 49684 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:26:27.912578106 CET | 8888 | 49684 | 185.208.159.226 | 192.168.2.8 |
Mar 25, 2025 07:26:28.349659920 CET | 8888 | 49684 | 185.208.159.226 | 192.168.2.8 |
Mar 25, 2025 07:26:28.351490974 CET | 49684 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:26:29.377808094 CET | 49682 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:26:29.378031015 CET | 49684 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:26:29.586247921 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:26:29.680787086 CET | 80 | 49685 | 208.95.112.1 | 192.168.2.8 |
Mar 25, 2025 07:26:29.680874109 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:26:29.681133986 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:26:29.777448893 CET | 80 | 49685 | 208.95.112.1 | 192.168.2.8 |
Mar 25, 2025 07:26:29.777590990 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:26:29.852574110 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:29.852612972 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:29.852849007 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:29.860055923 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:29.860066891 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:30.044181108 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:30.044250965 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:30.047730923 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:30.047739029 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:30.047985077 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:30.048149109 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:30.049567938 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:30.096330881 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:30.226344109 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:30.226408958 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:30.226423025 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:30.226485014 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:30.226490974 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:30.226532936 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:30.227405071 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
Mar 25, 2025 07:26:30.227421045 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
Mar 25, 2025 07:26:30.242181063 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:26:30.429246902 CET | 8888 | 49687 | 185.208.159.226 | 192.168.2.8 |
Mar 25, 2025 07:26:30.429332018 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:26:30.429550886 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:26:30.621689081 CET | 8888 | 49687 | 185.208.159.226 | 192.168.2.8 |
Mar 25, 2025 07:26:30.844842911 CET | 8888 | 49687 | 185.208.159.226 | 192.168.2.8 |
Mar 25, 2025 07:26:30.844924927 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:26:35.842587948 CET | 8888 | 49687 | 185.208.159.226 | 192.168.2.8 |
Mar 25, 2025 07:26:35.842719078 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:27:28.676240921 CET | 80 | 49685 | 208.95.112.1 | 192.168.2.8 |
Mar 25, 2025 07:27:28.676419973 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:28:19.518838882 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:28:19.519489050 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:28:19.831159115 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:28:19.987356901 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:28:20.440500975 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:28:20.924940109 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:28:21.643703938 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:28:22.799839973 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:28:24.049817085 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
Mar 25, 2025 07:28:26.549841881 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
Mar 25, 2025 07:28:28.862452984 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 25, 2025 07:26:26.602444887 CET | 57901 | 53 | 192.168.2.8 | 1.1.1.1 |
Mar 25, 2025 07:26:26.703915119 CET | 53 | 57901 | 1.1.1.1 | 192.168.2.8 |
Mar 25, 2025 07:26:26.921256065 CET | 61345 | 53 | 192.168.2.8 | 1.1.1.1 |
Mar 25, 2025 07:26:27.022706032 CET | 53 | 61345 | 1.1.1.1 | 192.168.2.8 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 25, 2025 07:26:26.602444887 CET | 192.168.2.8 | 1.1.1.1 | 0x75c0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 25, 2025 07:26:26.921256065 CET | 192.168.2.8 | 1.1.1.1 | 0x5505 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 25, 2025 07:26:26.703915119 CET | 1.1.1.1 | 192.168.2.8 | 0x75c0 | No error (0) | 208.95.112.1 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 07:26:27.022706032 CET | 1.1.1.1 | 192.168.2.8 | 0x5505 | No error (0) | 185.199.109.133 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 07:26:27.022706032 CET | 1.1.1.1 | 192.168.2.8 | 0x5505 | No error (0) | 185.199.108.133 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 07:26:27.022706032 CET | 1.1.1.1 | 192.168.2.8 | 0x5505 | No error (0) | 185.199.111.133 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 07:26:27.022706032 CET | 1.1.1.1 | 192.168.2.8 | 0x5505 | No error (0) | 185.199.110.133 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.8 | 49682 | 208.95.112.1 | 80 | 6976 | C:\Users\user\Desktop\GEwWDGafs9.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Mar 25, 2025 07:26:26.815188885 CET | 86 | OUT | |
Mar 25, 2025 07:26:26.910465002 CET | 359 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.8 | 49684 | 185.208.159.226 | 8888 | 6976 | C:\Users\user\Desktop\GEwWDGafs9.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Mar 25, 2025 07:26:27.722089052 CET | 124 | OUT | |
Mar 25, 2025 07:26:28.349659920 CET | 129 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.8 | 49685 | 208.95.112.1 | 80 | 3676 | C:\Users\user\AppData\Local\clip.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Mar 25, 2025 07:26:29.681133986 CET | 86 | OUT | |
Mar 25, 2025 07:26:29.777448893 CET | 359 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.8 | 49687 | 185.208.159.226 | 8888 | 3676 | C:\Users\user\AppData\Local\clip.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Mar 25, 2025 07:26:30.429550886 CET | 124 | OUT | |
Mar 25, 2025 07:26:30.844842911 CET | 129 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.8 | 49683 | 185.199.109.133 | 443 | 6976 | C:\Users\user\Desktop\GEwWDGafs9.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-25 06:26:27 UTC | 141 | OUT | |
2025-03-25 06:26:27 UTC | 891 | IN | |
2025-03-25 06:26:27 UTC | 21 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.8 | 49686 | 185.199.109.133 | 443 | 3676 | C:\Users\user\AppData\Local\clip.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-25 06:26:30 UTC | 141 | OUT | |
2025-03-25 06:26:30 UTC | 889 | IN | |
2025-03-25 06:26:30 UTC | 21 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 02:26:25 |
Start date: | 25/03/2025 |
Path: | C:\Users\user\Desktop\GEwWDGafs9.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff655990000 |
File size: | 3'647'488 bytes |
MD5 hash: | 1620529D44DD56FE7BEB51B1DBC75FD6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 02:26:27 |
Start date: | 25/03/2025 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7b7640000 |
File size: | 289'792 bytes |
MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 02:26:28 |
Start date: | 25/03/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6e60e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 02:26:28 |
Start date: | 25/03/2025 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7b7640000 |
File size: | 289'792 bytes |
MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 02:26:28 |
Start date: | 25/03/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6e60e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 02:26:28 |
Start date: | 25/03/2025 |
Path: | C:\Windows\System32\PING.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6901c0000 |
File size: | 22'528 bytes |
MD5 hash: | 2F46799D79D22AC72C241EC0322B011D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 02:26:28 |
Start date: | 25/03/2025 |
Path: | C:\Users\user\AppData\Local\clip.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61eb90000 |
File size: | 3'647'488 bytes |
MD5 hash: | 1620529D44DD56FE7BEB51B1DBC75FD6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | false |
Target ID: | 8 |
Start time: | 02:26:37 |
Start date: | 25/03/2025 |
Path: | C:\Users\user\AppData\Local\clip.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61eb90000 |
File size: | 3'647'488 bytes |
MD5 hash: | 1620529D44DD56FE7BEB51B1DBC75FD6 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 10 |
Start time: | 02:26:45 |
Start date: | 25/03/2025 |
Path: | C:\Users\user\AppData\Local\clip.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61eb90000 |
File size: | 3'647'488 bytes |
MD5 hash: | 1620529D44DD56FE7BEB51B1DBC75FD6 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|