Edit tour
Windows
Analysis Report
GEwWDGafs9.exe
Overview
General Information
| Sample name: | GEwWDGafs9.exerenamed because original name is a hash value |
| Original sample name: | 1620529d44dd56fe7beb51b1dbc75fd6.exe |
| Analysis ID: | 1647699 |
| MD5: | 1620529d44dd56fe7beb51b1dbc75fd6 |
| SHA1: | b300643e88ff98aff7d889fd8c15dbdac319ad27 |
| SHA256: | 0c32fe825a579830125c18d53460860500723372977f20eb40121e687706447d |
| Tags: | exeuser-abuse_ch |
| Infos: |   |
 | |
Detection
Clipboard Hijacker
| Score: | 92 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Clipboard Hijacker
Joe Sandbox ML detected suspicious sample
Potentially malicious time measurement code found
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
GEwWDGafs9.exe (PID: 6976 cmdline: "C:\Users\ user\Deskt op\GEwWDGa fs9.exe" MD5: 1620529D44DD56FE7BEB51B1DBC75FD6) 
cmd.exe (PID: 6276 cmdline: C:\Windows \system32\ cmd.exe /c start cmd /C "ping localhost -n 1 && st art C:\Use rs\user\Ap pData\Loca l\clip.exe " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6420 cmdline:
cmd /C "pi ng localho st -n 1 && start C:\ Users\user \AppData\L ocal\clip. exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6468 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 4252 cmdline:
ping local host -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D) - clip.exe (PID: 3676 cmdline:
C:\Users\u ser\AppDat a\Local\cl ip.exe MD5: 1620529D44DD56FE7BEB51B1DBC75FD6)
- clip.exe (PID: 6652 cmdline:
"C:\Users\ user\AppDa ta\Local\c lip.exe" MD5: 1620529D44DD56FE7BEB51B1DBC75FD6)
- clip.exe (PID: 4456 cmdline:
"C:\Users\ user\AppDa ta\Local\c lip.exe" MD5: 1620529D44DD56FE7BEB51B1DBC75FD6)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Process created: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00007FF65599BCC0 | |
| Source: | Code function: | 0_2_00007FF65599B900 | |
| Source: | Code function: | 0_2_00007FF65599B260 | |
| Source: | Code function: | 0_2_00007FF65599BE60 | |
| Source: | Code function: | 0_2_00007FF655995C40 | |
| Source: | Code function: | 0_2_00007FF655997A40 | |
| Source: | Code function: | 0_2_00007FF6559978A0 | |
| Source: | Code function: | 0_2_00007FF65599CAA0 | |
| Source: | Code function: | 0_2_00007FF65599F0A0 | |
| Source: | Code function: | 0_2_00007FF655998E80 | |
| Source: | Code function: | 0_2_00007FF65599EFE2 | |
| Source: | Code function: | 0_2_00007FF65599BFF0 | |
| Source: | Code function: | 0_2_00007FF655A329D0 | |
| Source: | Code function: | 0_2_00007FF65599E400 | |
| Source: | Code function: | 0_2_00007FF65599B760 | |
| Source: | Code function: | 0_2_00007FF65599ED70 | |
| Source: | Code function: | 0_2_00007FF65599A172 | |
| Source: | Code function: | 0_2_00007FF655997740 | |
| Source: | Code function: | 0_2_00007FF65599E540 | |
| Source: | Code function: | 0_2_00007FF65599B5A0 | |
| Source: | Code function: | 0_2_00007FF6559995A0 | |
| Source: | Code function: | 0_2_00007FF65599A9B0 | |
| Source: | Code function: | 0_2_00007FF655993780 | |
| Source: | Code function: | 0_2_00007FF65599A180 | |
| Source: | Code function: | 7_2_00007FF61EB9E400 | |
| Source: | Code function: | 7_2_00007FF61EC329D0 | |
| Source: | Code function: | 7_2_00007FF61EB9EFE2 | |
| Source: | Code function: | 7_2_00007FF61EB9BFF0 | |
| Source: | Code function: | 7_2_00007FF61EB93780 | |
| Source: | Code function: | 7_2_00007FF61EB9A180 | |
| Source: | Code function: | 7_2_00007FF61EB9B5A0 | |
| Source: | Code function: | 7_2_00007FF61EB995A0 | |
| Source: | Code function: | 7_2_00007FF61EB9A9B0 | |
| Source: | Code function: | 7_2_00007FF61EB97740 | |
| Source: | Code function: | 7_2_00007FF61EB9E540 | |
| Source: | Code function: | 7_2_00007FF61EB9B760 | |
| Source: | Code function: | 7_2_00007FF61EB9ED70 | |
| Source: | Code function: | 7_2_00007FF61EB9A172 | |
| Source: | Code function: | 7_2_00007FF61EB9B900 | |
| Source: | Code function: | 7_2_00007FF61EB9BCC0 | |
| Source: | Code function: | 7_2_00007FF61EB98E80 | |
| Source: | Code function: | 7_2_00007FF61EB978A0 | |
| Source: | Code function: | 7_2_00007FF61EB9CAA0 | |
| Source: | Code function: | 7_2_00007FF61EB9F0A0 | |
| Source: | Code function: | 7_2_00007FF61EB95C40 | |
| Source: | Code function: | 7_2_00007FF61EB97A40 | |
| Source: | Code function: | 7_2_00007FF61EB9B260 | |
| Source: | Code function: | 7_2_00007FF61EB9BE60 | |
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF655998313 | |
| Source: | Code function: | 0_2_00007FF655998313 | |
| Source: | Code function: | 7_2_00007FF61EB98313 | |
| Source: | Code function: | 7_2_00007FF61EB98313 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
Malware Analysis System Evasion | |
|---|
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF655991330 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Anti Debugging | |
|---|
| Source: | Code function: | 0_2_00007FF655991330 | |
| Source: | Code function: | 0_2_00007FF655991380 | |
| Source: | Code function: | 7_2_00007FF61EB91380 | |
| Source: | Code function: | 7_2_00007FF61EB91330 | |
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF655991330 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF655B17304 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 Registry Run Keys / Startup Folder | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Registry Run Keys / Startup Folder | 3 Virtualization/Sandbox Evasion | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 11 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 3 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | 3 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 System Network Configuration Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 12 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 42% | Virustotal | Browse | ||
| 72% | ReversingLabs | Win64.Trojan.Generic |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 72% | ReversingLabs | Win64.Trojan.Generic |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| raw.githubusercontent.com | 185.199.109.133 | true | false | high | |
| ip-api.com | 208.95.112.1 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high | ||
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.208.159.226 | unknown | Switzerland | 34888 | SIMPLECARRER2IT | false | |
| 208.95.112.1 | ip-api.com | United States | 53334 | TUT-ASUS | false | |
| 185.199.109.133 | raw.githubusercontent.com | Netherlands | 54113 | FASTLYUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1647699 |
| Start date and time: | 2025-03-25 07:25:33 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 26s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 20 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | GEwWDGafs9.exerenamed because original name is a hash value |
| Original Sample Name: | 1620529d44dd56fe7beb51b1dbc75fd6.exe |
| Detection: | MAL |
| Classification: | mal92.troj.spyw.evad.winEXE@13/9@2/3 |
| EGA Information: | Failed |
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, sppsvc.exe, SIHCli ent.exe, SgrmBroker.exe, conho st.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 20.109.210.53, 23. 204.23.20 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, slscr.update.microsoft.com , ctldl.windowsupdate.com, c.p ki.goog, fe3cr.delivery.mp.mic rosoft.com - Execution Graph export aborted
for target GEwWDGafs9.exe, PI D 6976 because there are no ex ecuted function - Execution Graph export aborted
for target clip.exe, PID 3676 because there are no executed function - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 02:27:19 | API Interceptor | |
| 07:26:28 | Autostart | |
| 07:26:37 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 185.208.159.226 | Get hash | malicious | Clipboard Hijacker | Browse |
| |
| Get hash | malicious | Clipboard Hijacker | Browse |
| ||
| 208.95.112.1 | Get hash | malicious | XWorm | Browse |
| |
| Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
| Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Kdot Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| 185.199.109.133 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Metasploit | Browse |
| ||
| Get hash | malicious | AsyncRAT, XWorm | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| raw.githubusercontent.com | Get hash | malicious | Nanocore | Browse |
| |
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | LummaC Stealer, Salat Stealer | Browse |
| ||
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| ip-api.com | Get hash | malicious | XWorm | Browse |
| |
| Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
| Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Kdot Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| FASTLYUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Nanocore | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
| Get hash | malicious | Invisible JS, Tycoon2FA | Browse |
| ||
| Get hash | malicious | Invisible JS, Tycoon2FA | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
| TUT-ASUS | Get hash | malicious | XWorm | Browse |
| |
| Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
| Get hash | malicious | Python Stealer, Blank Grabber, XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Kdot Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, PureLog Stealer, RedLine | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| SIMPLECARRER2IT | Get hash | malicious | Amadey | Browse |
| |
| Get hash | malicious | Amadey | Browse |
| ||
| Get hash | malicious | RHADAMANTHYS | Browse |
| ||
| Get hash | malicious | RHADAMANTHYS | Browse |
| ||
| Get hash | malicious | RHADAMANTHYS | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker | Browse |
| ||
| Get hash | malicious | Sliver | Browse |
| ||
| Get hash | malicious | Clipboard Hijacker | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Remcos, GuLoader | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | LummaC Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos, GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\GEwWDGafs9.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 21 |
| Entropy (8bit): | 3.010434089033337 |
| Encrypted: | false |
| SSDEEP: | 3:EQj7UFXDf/:EQnUtDf/ |
| MD5: | 92D65DE01D0749FDA422A3CA9DFFD46B |
| SHA1: | 59D246850168572359D67DAE5F246C4CF9C4D3E5 |
| SHA-256: | F6AFFEFD5085E01E46FD3EAF216AF82D28E475A581D263554A7959A26217F2A4 |
| SHA-512: | 29B24409B9D2F74C9F679FF10266A3D8790800A0E8F9C0D3C622FBA4E8B867F31C3B1BD1E79DFEF94471143FC57B27528B1A9808BCC4ABEFD8CE28DDF1F10DB1 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\clip.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5 |
| Entropy (8bit): | 1.9219280948873623 |
| Encrypted: | false |
| SSDEEP: | 3:6:6 |
| MD5: | A01AB5C0FF81A60B7D1CEA84CC7DCB7A |
| SHA1: | D0BC07EAB4BE33F0E19FF3F812AA27CDA3BE7CD0 |
| SHA-256: | 53CD6B72987929CB8E78FCAD49CBACF653683D9E367C0EDB1925982229E91232 |
| SHA-512: | F53AD574B732E638C54EE91725118639BC273CC1E0BFC5D46E332FDC2FBE29785AD29CF1FD72CF6095ECBF435D085826DA0DCD70249992BE11FB8C8DDB425E82 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\GEwWDGafs9.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5 |
| Entropy (8bit): | 1.9219280948873623 |
| Encrypted: | false |
| SSDEEP: | 3:6:6 |
| MD5: | A01AB5C0FF81A60B7D1CEA84CC7DCB7A |
| SHA1: | D0BC07EAB4BE33F0E19FF3F812AA27CDA3BE7CD0 |
| SHA-256: | 53CD6B72987929CB8E78FCAD49CBACF653683D9E367C0EDB1925982229E91232 |
| SHA-512: | F53AD574B732E638C54EE91725118639BC273CC1E0BFC5D46E332FDC2FBE29785AD29CF1FD72CF6095ECBF435D085826DA0DCD70249992BE11FB8C8DDB425E82 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\clip.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 188 |
| Entropy (8bit): | 5.274666513385075 |
| Encrypted: | false |
| SSDEEP: | 3:BztLQhNEmbWLcMLABPvrV2b0kEwAyQqZWzprdFlonuRcGdv1zprdFlo+Sfn:BZLQhNEmbG9LoB2oN11q+prdmecAprd2 |
| MD5: | 1EA47DE0DA2E131CA0E18A1874B913E1 |
| SHA1: | 3E2E37C22BF165F0FAEFA49A5B5A64A33F00B42F |
| SHA-256: | 3F0F74E5E98DE77D0B4BB6D63DFC36546F7B8AD61734D535BB5CF8D75102A14D |
| SHA-512: | 9BAC3A0B2A200DEC002165E25C7A78207AE433DB5D21D9CBDC8D589C4781A0C2E210FEE3BAF5EC093EED0E183F49E66D1432441065FB1008B5458AA7A20B70BB |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\clip.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 21 |
| Entropy (8bit): | 3.010434089033337 |
| Encrypted: | false |
| SSDEEP: | 3:EQj7UFXDf/:EQnUtDf/ |
| MD5: | 92D65DE01D0749FDA422A3CA9DFFD46B |
| SHA1: | 59D246850168572359D67DAE5F246C4CF9C4D3E5 |
| SHA-256: | F6AFFEFD5085E01E46FD3EAF216AF82D28E475A581D263554A7959A26217F2A4 |
| SHA-512: | 29B24409B9D2F74C9F679FF10266A3D8790800A0E8F9C0D3C622FBA4E8B867F31C3B1BD1E79DFEF94471143FC57B27528B1A9808BCC4ABEFD8CE28DDF1F10DB1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\GEwWDGafs9.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 188 |
| Entropy (8bit): | 5.274666513385075 |
| Encrypted: | false |
| SSDEEP: | 3:BztLQhNEmbWLcMLABPvrV2b0kEwAyQqZWzprdFlonuRcGdv1zprdFlo+Sfn:BZLQhNEmbG9LoB2oN11q+prdmecAprd2 |
| MD5: | 1EA47DE0DA2E131CA0E18A1874B913E1 |
| SHA1: | 3E2E37C22BF165F0FAEFA49A5B5A64A33F00B42F |
| SHA-256: | 3F0F74E5E98DE77D0B4BB6D63DFC36546F7B8AD61734D535BB5CF8D75102A14D |
| SHA-512: | 9BAC3A0B2A200DEC002165E25C7A78207AE433DB5D21D9CBDC8D589C4781A0C2E210FEE3BAF5EC093EED0E183F49E66D1432441065FB1008B5458AA7A20B70BB |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\clip.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\GEwWDGafs9.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3647488 |
| Entropy (8bit): | 7.31524678352141 |
| Encrypted: | false |
| SSDEEP: | 49152:FmVwASOEGtlqCKIU6ingvS/U0eqGs1gTQJKDAbjRzFq5VYRVctpLMESh4Q1xorzg:2d+gBoFzoHEX9rDeHHhrX2ANMUN |
| MD5: | 1620529D44DD56FE7BEB51B1DBC75FD6 |
| SHA1: | B300643E88FF98AFF7D889FD8C15DBDAC319AD27 |
| SHA-256: | 0C32FE825A579830125C18D53460860500723372977F20EB40121E687706447D |
| SHA-512: | 918C8DAA0BD3B1C61C28A63CBD8A13740FBFE81DA731F94C9CD85D6A3E306A8C39499C00B8E1BEB2B4862949A35A607050A83E2C106449F88989BB47DBB13196 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\GEwWDGafs9.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | true |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.31524678352141 |
| TrID: |
|
| File name: | GEwWDGafs9.exe |
| File size: | 3'647'488 bytes |
| MD5: | 1620529d44dd56fe7beb51b1dbc75fd6 |
| SHA1: | b300643e88ff98aff7d889fd8c15dbdac319ad27 |
| SHA256: | 0c32fe825a579830125c18d53460860500723372977f20eb40121e687706447d |
| SHA512: | 918c8daa0bd3b1c61c28a63cbd8a13740fbfe81da731f94c9cd85d6a3e306a8c39499c00b8e1beb2b4862949a35a607050a83e2c106449f88989bb47dbb13196 |
| SSDEEP: | 49152:FmVwASOEGtlqCKIU6ingvS/U0eqGs1gTQJKDAbjRzFq5VYRVctpLMESh4Q1xorzg:2d+gBoFzoHEX9rDeHHhrX2ANMUN |
| TLSH: | EAF5D016B3A900E9D87BC13CD9964133E7F2B86917B0ABDB02A486751F237E15E3E741 |
| File Content Preview: | MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................-...................................................................................a.......a...... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x140186b90 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67DC11D4 [Thu Mar 20 13:02:12 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 290b5b74ed388a2f4e81683b8fd40b54 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F96CCC26520h |
| dec eax |
| add esp, 28h |
| jmp 00007F96CCC25C27h |
| int3 |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov ebx, ecx |
| dec eax |
| lea ecx, dword ptr [001E40ACh] |
| call dword ptr [000397A6h] |
| mov eax, dword ptr [001DD294h] |
| dec eax |
| lea ecx, dword ptr [001E4099h] |
| mov edx, dword ptr [001E40B3h] |
| inc eax |
| mov dword ptr [001DD27Fh], eax |
| mov dword ptr [ebx], eax |
| dec eax |
| mov eax, dword ptr [00000058h] |
| inc ecx |
| mov ecx, 00000004h |
| dec esp |
| mov eax, dword ptr [eax+edx*8] |
| mov eax, dword ptr [001DD264h] |
| inc ebx |
| mov dword ptr [ecx+eax], eax |
| call dword ptr [0003975Eh] |
| dec eax |
| lea ecx, dword ptr [001E4057h] |
| dec eax |
| add esp, 20h |
| pop ebx |
| dec eax |
| jmp dword ptr [0003975Bh] |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov ebx, ecx |
| dec eax |
| lea ecx, dword ptr [001E4040h] |
| call dword ptr [0003973Ah] |
| cmp dword ptr [ebx], 00000000h |
| jne 00007F96CCC25DD4h |
| or dword ptr [ebx], FFFFFFFFh |
| jmp 00007F96CCC25DF7h |
| inc ebp |
| xor ecx, ecx |
| dec eax |
| lea edx, dword ptr [001E4026h] |
| inc ecx |
| or eax, FFFFFFFFh |
| dec eax |
| lea ecx, dword ptr [001E4013h] |
| call dword ptr [00039725h] |
| jmp 00007F96CCC25D8Bh |
| cmp dword ptr [ebx], FFFFFFFFh |
| je 00007F96CCC25D90h |
| dec eax |
| mov eax, dword ptr [00000058h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x35fc7c | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x37e000 | 0x1e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x36d000 | 0x10d4c | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x37f000 | 0x5b54 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x349b40 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x349d80 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x349a00 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1c0000 | 0x5f0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1be1a8 | 0x1be200 | 951a2818cb35d888f0328c24228da5ca | False | 0.509161464170636 | data | 6.863597004168995 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x1c0000 | 0x1a1118 | 0x1a1200 | 63c0896633c5c28e53d61096ad78e931 | False | 0.806784607244531 | data | 7.4840729170019324 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x362000 | 0xa784 | 0x4400 | 8a1f892dad06a25a77fabdb68fc06bb6 | False | 0.21501608455882354 | data | 3.5834068164514687 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x36d000 | 0x10d4c | 0x10e00 | 64dfbe7fcbdd866b13f09b8faf1d2599 | False | 0.4862123842592593 | data | 6.133896963177395 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x37e000 | 0x1e0 | 0x200 | 8596ef18191b12d8e3bec098ab630c55 | False | 0.53125 | data | 4.7176788329467545 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x37f000 | 0x5b54 | 0x5c00 | 8375a0b81e17169769d398ecedce2451 | False | 0.27377717391304346 | data | 5.4476242894253515 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x37e060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CheckRemoteDebuggerPresent, GlobalMemoryStatusEx, SetFileAttributesA, GetSystemInfo, CloseHandle, GlobalAlloc, CreateFileA, OpenMutexA, CopyFileA, SetEndOfFile, WriteConsoleW, GetTimeZoneInformation, GetTempPathA, Sleep, CreateFileW, CreateMutexA, DeviceIoControl, WriteFile, GetCurrentProcess, GetModuleFileNameA, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, SetStdHandle, HeapSize, CreateProcessW, GetExitCodeProcess, WaitForSingleObject, HeapReAlloc, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetLastError, SetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetStdHandle, GetEnvironmentVariableW, GetFileType, GetModuleHandleW, GetProcAddress, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetCurrentThreadId, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleExW, RtlVirtualUnwind, DeleteFiber, WideCharToMultiByte, GetCurrentProcessId, GetSystemTimeAsFileTime, ConvertFiberToThread, FreeLibrary, LoadLibraryA, LoadLibraryW, FindClose, FindFirstFileW, FindNextFileW, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, RtlCaptureContext, RtlLookupFunctionEntry, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, LocalFree, FormatMessageA, GetLocaleInfoEx, GetCurrentDirectoryW, FindFirstFileExW, GetFileAttributesExW, GetFileInformationByHandle, GetFullPathNameW, SetFileInformationByHandle, AreFileApisANSI, GetFileInformationByHandleEx, TryAcquireSRWLockExclusive, WaitForSingleObjectEx, GetExitCodeThread, LCMapStringEx, InitializeCriticalSectionEx, EncodePointer, DecodePointer, CompareStringEx, GetCPInfo, GetStringTypeW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, ExitProcess, SetConsoleCtrlHandler, ReadFile, GetDriveTypeW, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetModuleFileNameW, GetCommandLineA, GetCommandLineW, GetFileSizeEx, SetFilePointerEx, HeapAlloc, FlushFileBuffers, GetConsoleOutputCP, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, RtlUnwind |
| USER32.dll | GetClipboardData, EmptyClipboard, CloseClipboard, OpenClipboard, GetProcessWindowStation, SetClipboardData, GetClipboardSequenceNumber, GetUserObjectInformationW, MessageBoxW |
| ADVAPI32.dll | CryptGetUserKey, CryptGetProvParam, CryptExportKey, CryptDecrypt, CryptCreateHash, CryptDestroyHash, CryptSignHashW, CryptEnumProvidersW, DeregisterEventSource, RegisterEventSourceW, ReportEventW, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, CryptSetHashParam, RegCreateKeyA, RegSetValueExA |
| SHELL32.dll | ShellExecuteA |
| bcrypt.dll | BCryptGenRandom |
| WININET.dll | InternetOpenA, InternetCloseHandle, InternetReadFile, InternetOpenUrlA |
| CRYPT32.dll | CertEnumCertificatesInStore, CertFindCertificateInStore, CertOpenStore, CertFreeCertificateContext, CertDuplicateCertificateContext, CertGetCertificateContextProperty, CertCloseStore |
| WS2_32.dll | WSACleanup, WSAGetLastError, closesocket, recv, send, WSASetLastError |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeDownload Network PCAP: filtered – full
- Total Packets: 54
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 25, 2025 07:26:26.718952894 CET | 49682 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:26:26.813668966 CET | 80 | 49682 | 208.95.112.1 | 192.168.2.8 |
| Mar 25, 2025 07:26:26.813771009 CET | 49682 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:26:26.815188885 CET | 49682 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:26:26.910465002 CET | 80 | 49682 | 208.95.112.1 | 192.168.2.8 |
| Mar 25, 2025 07:26:26.910532951 CET | 49682 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:26:27.023761988 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:27.023819923 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:27.023881912 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:27.035331964 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:27.035367012 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:27.228266001 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:27.228384018 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:27.281060934 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:27.281085968 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:27.281407118 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:27.281476021 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:27.283377886 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:27.328320026 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:27.487737894 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:27.487863064 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:27.487903118 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:27.487932920 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:27.498131037 CET | 49683 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:27.498155117 CET | 443 | 49683 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:27.532895088 CET | 49684 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:26:27.721704960 CET | 8888 | 49684 | 185.208.159.226 | 192.168.2.8 |
| Mar 25, 2025 07:26:27.721828938 CET | 49684 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:26:27.722089052 CET | 49684 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:26:27.912578106 CET | 8888 | 49684 | 185.208.159.226 | 192.168.2.8 |
| Mar 25, 2025 07:26:28.349659920 CET | 8888 | 49684 | 185.208.159.226 | 192.168.2.8 |
| Mar 25, 2025 07:26:28.351490974 CET | 49684 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:26:29.377808094 CET | 49682 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:26:29.378031015 CET | 49684 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:26:29.586247921 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:26:29.680787086 CET | 80 | 49685 | 208.95.112.1 | 192.168.2.8 |
| Mar 25, 2025 07:26:29.680874109 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:26:29.681133986 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:26:29.777448893 CET | 80 | 49685 | 208.95.112.1 | 192.168.2.8 |
| Mar 25, 2025 07:26:29.777590990 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:26:29.852574110 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:29.852612972 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:29.852849007 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:29.860055923 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:29.860066891 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.044181108 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.044250965 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:30.047730923 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:30.047739029 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.047985077 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.048149109 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:30.049567938 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:30.096330881 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.226344109 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.226408958 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:30.226423025 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.226485014 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:30.226490974 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.226532936 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:30.227405071 CET | 49686 | 443 | 192.168.2.8 | 185.199.109.133 |
| Mar 25, 2025 07:26:30.227421045 CET | 443 | 49686 | 185.199.109.133 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.242181063 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:26:30.429246902 CET | 8888 | 49687 | 185.208.159.226 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.429332018 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:26:30.429550886 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:26:30.621689081 CET | 8888 | 49687 | 185.208.159.226 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.844842911 CET | 8888 | 49687 | 185.208.159.226 | 192.168.2.8 |
| Mar 25, 2025 07:26:30.844924927 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:26:35.842587948 CET | 8888 | 49687 | 185.208.159.226 | 192.168.2.8 |
| Mar 25, 2025 07:26:35.842719078 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:27:28.676240921 CET | 80 | 49685 | 208.95.112.1 | 192.168.2.8 |
| Mar 25, 2025 07:27:28.676419973 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:28:19.518838882 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:28:19.519489050 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:28:19.831159115 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:28:19.987356901 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:28:20.440500975 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:28:20.924940109 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:28:21.643703938 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:28:22.799839973 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:28:24.049817085 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
| Mar 25, 2025 07:28:26.549841881 CET | 49687 | 8888 | 192.168.2.8 | 185.208.159.226 |
| Mar 25, 2025 07:28:28.862452984 CET | 49685 | 80 | 192.168.2.8 | 208.95.112.1 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 25, 2025 07:26:26.602444887 CET | 57901 | 53 | 192.168.2.8 | 1.1.1.1 |
| Mar 25, 2025 07:26:26.703915119 CET | 53 | 57901 | 1.1.1.1 | 192.168.2.8 |
| Mar 25, 2025 07:26:26.921256065 CET | 61345 | 53 | 192.168.2.8 | 1.1.1.1 |
| Mar 25, 2025 07:26:27.022706032 CET | 53 | 61345 | 1.1.1.1 | 192.168.2.8 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 25, 2025 07:26:26.602444887 CET | 192.168.2.8 | 1.1.1.1 | 0x75c0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 25, 2025 07:26:26.921256065 CET | 192.168.2.8 | 1.1.1.1 | 0x5505 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 25, 2025 07:26:26.703915119 CET | 1.1.1.1 | 192.168.2.8 | 0x75c0 | No error (0) | 208.95.112.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 25, 2025 07:26:27.022706032 CET | 1.1.1.1 | 192.168.2.8 | 0x5505 | No error (0) | 185.199.109.133 | A (IP address) | IN (0x0001) | false | ||
| Mar 25, 2025 07:26:27.022706032 CET | 1.1.1.1 | 192.168.2.8 | 0x5505 | No error (0) | 185.199.108.133 | A (IP address) | IN (0x0001) | false | ||
| Mar 25, 2025 07:26:27.022706032 CET | 1.1.1.1 | 192.168.2.8 | 0x5505 | No error (0) | 185.199.111.133 | A (IP address) | IN (0x0001) | false | ||
| Mar 25, 2025 07:26:27.022706032 CET | 1.1.1.1 | 192.168.2.8 | 0x5505 | No error (0) | 185.199.110.133 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49682 | 208.95.112.1 | 80 | 6976 | C:\Users\user\Desktop\GEwWDGafs9.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 25, 2025 07:26:26.815188885 CET | 86 | OUT | |
| Mar 25, 2025 07:26:26.910465002 CET | 359 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.8 | 49684 | 185.208.159.226 | 8888 | 6976 | C:\Users\user\Desktop\GEwWDGafs9.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 25, 2025 07:26:27.722089052 CET | 124 | OUT | |
| Mar 25, 2025 07:26:28.349659920 CET | 129 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.8 | 49685 | 208.95.112.1 | 80 | 3676 | C:\Users\user\AppData\Local\clip.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 25, 2025 07:26:29.681133986 CET | 86 | OUT | |
| Mar 25, 2025 07:26:29.777448893 CET | 359 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.8 | 49687 | 185.208.159.226 | 8888 | 3676 | C:\Users\user\AppData\Local\clip.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 25, 2025 07:26:30.429550886 CET | 124 | OUT | |
| Mar 25, 2025 07:26:30.844842911 CET | 129 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.8 | 49683 | 185.199.109.133 | 443 | 6976 | C:\Users\user\Desktop\GEwWDGafs9.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-25 06:26:27 UTC | 141 | OUT | |
| 2025-03-25 06:26:27 UTC | 891 | IN | |
| 2025-03-25 06:26:27 UTC | 21 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.8 | 49686 | 185.199.109.133 | 443 | 3676 | C:\Users\user\AppData\Local\clip.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-25 06:26:30 UTC | 141 | OUT | |
| 2025-03-25 06:26:30 UTC | 889 | IN | |
| 2025-03-25 06:26:30 UTC | 21 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 02:26:25 |
| Start date: | 25/03/2025 |
| Path: | C:\Users\user\Desktop\GEwWDGafs9.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff655990000 |
| File size: | 3'647'488 bytes |
| MD5 hash: | 1620529D44DD56FE7BEB51B1DBC75FD6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 02:26:27 |
| Start date: | 25/03/2025 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7b7640000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 02:26:28 |
| Start date: | 25/03/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6e60e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 02:26:28 |
| Start date: | 25/03/2025 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7b7640000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 02:26:28 |
| Start date: | 25/03/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6e60e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 02:26:28 |
| Start date: | 25/03/2025 |
| Path: | C:\Windows\System32\PING.EXE |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6901c0000 |
| File size: | 22'528 bytes |
| MD5 hash: | 2F46799D79D22AC72C241EC0322B011D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 02:26:28 |
| Start date: | 25/03/2025 |
| Path: | C:\Users\user\AppData\Local\clip.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61eb90000 |
| File size: | 3'647'488 bytes |
| MD5 hash: | 1620529D44DD56FE7BEB51B1DBC75FD6 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | false |
| Target ID: | 8 |
| Start time: | 02:26:37 |
| Start date: | 25/03/2025 |
| Path: | C:\Users\user\AppData\Local\clip.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61eb90000 |
| File size: | 3'647'488 bytes |
| MD5 hash: | 1620529D44DD56FE7BEB51B1DBC75FD6 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 02:26:45 |
| Start date: | 25/03/2025 |
| Path: | C:\Users\user\AppData\Local\clip.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61eb90000 |
| File size: | 3'647'488 bytes |
| MD5 hash: | 1620529D44DD56FE7BEB51B1DBC75FD6 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
