Play interactive tour
Edit tourAnalysis Report fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll
Overview
General Information
| Sample Name: | fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll |
| Analysis ID: | 399327 |
| MD5: | 526bd61e387de23722e171a34dcd7016 |
| SHA1: | 9007dece802951a0f29c9ab84085e7d1920099f6 |
| SHA256: | 7d35c3abef65ed1d81d2f70944db31ba2a8cc703f1ccf8b82ca7b3929b8233e1 |
| Tags: | Trickbot |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Trickbot
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Yara detected Trickbot
Yara detected Trickbot
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
May check the online IP address of the machine
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Classification
Startup |
|---|
|
Malware Configuration |
|---|
Threatname: Trickbot |
|---|
{"ver": "2000029", "gtag": "che7", "servs": ["103.66.72.217:443", "117.252.68.211:443", "103.124.173.35:443", "115.73.211.230:443", "117.54.250.246:443", "131.0.112.122:443", "69.109.35.254:20445", "43.17.158.63:36366", "130.180.24.227:44321", "131.168.228.35:19932", "185.31.222.247:49372", "151.187.13.249:46881", "190.186.36.209:40737", "42.139.161.213:11056", "23.95.165.4:64265", "189.169.15.32:42761", "125.6.227.80:58405", "217.159.190.123:8412", "47.106.66.231:10710", "46.136.156.92:5385"], "autorun": ["pwgrab"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
| JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
| JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
| JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
| JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
| Click to see the 5 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
| JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
| JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
| JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
| JoeSecurity_TrickBot_4 | Yara detected Trickbot | Joe Security | ||
| Click to see the 4 entries | ||||
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Yara detected Trickbot | Show sources | ||
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 14_2_0000024B66AE4800 | |
| Source: | Code function: | 14_2_0000024B66AEAC30 | |
| Source: | Code function: | 6_2_000002360243A940 | |
| Source: | Code function: | 6_2_00000236024459A0 | |
| Source: | Code function: | 6_2_000002360244B5B0 | |
| Source: | Code function: | 6_2_000002360245423F | |
| Source: | Code function: | 6_2_000002360244EA50 | |
| Source: | Code function: | 6_2_0000023602434670 | |
| Source: | Code function: | 6_2_00000236024542CD | |
| Source: | Code function: | 6_2_0000023602452EE0 | |
| Source: | Code function: | 6_2_00000236024542EF | |
| Source: | Code function: | 6_2_00000236024542AF | |
| Source: | Code function: | 6_2_0000023602454336 | |
| Source: | Code function: | 6_2_0000023602454355 | |
| Source: | Code function: | 6_2_000002360243BB70 | |
| Source: | Code function: | 6_2_0000023602450B70 | |
| Source: | Code function: | 6_2_000002360245431B | |
| Source: | Code function: | 6_2_0000023602439380 | |
| Source: | Code function: | 6_2_0000023602436B90 | |
| Source: | Code function: | 6_2_0000023602440060 | |
| Source: | Code function: | 6_2_0000023602440060 | |
| Source: | Code function: | 6_2_000002360244F460 | |
| Source: | Code function: | 6_2_000002360243AC30 | |
| Source: | Code function: | 6_2_00000236024438C0 | |
| Source: | Code function: | 6_2_00000236024438C0 | |
| Source: | Code function: | 6_2_00000236024484D0 | |
| Source: | Code function: | 6_2_000002360243E8E0 | |
| Source: | Code function: | 6_2_000002360244DCE0 | |
| Source: | Code function: | 6_2_00000236024354F0 | |
| Source: | Code function: | 6_2_00000236024408F0 | |
| Source: | Code function: | 6_2_0000023602437890 | |
| Source: | Code function: | 6_2_0000023602452CB0 | |
| Source: | Code function: | 6_2_000002360243E570 | |
| Source: | Code function: | 6_2_0000023602446510 | |
| Source: | Code function: | 7_2_0000023538D2A940 | |
| Source: | Code function: | 7_2_0000023538D30060 | |
| Source: | Code function: | 7_2_0000023538D30060 | |
| Source: | Code function: | 7_2_0000023538D3F460 | |
| Source: | Code function: | 7_2_0000023538D27890 | |
| Source: | Code function: | 7_2_0000023538D2AC30 | |
| Source: | Code function: | 7_2_0000023538D2E570 | |
| Source: | Code function: | 7_2_0000023538D308F0 | |
| Source: | Code function: | 7_2_0000023538D254F0 | |
| Source: | Code function: | 7_2_0000023538D2E8E0 | |
| Source: | Code function: | 7_2_0000023538D3DCE0 | |
| Source: | Code function: | 7_2_0000023538D36510 | |
| Source: | Code function: | 7_2_0000023538D42CB0 | |
| Source: | Code function: | 7_2_0000023538D384D0 | |
| Source: | Code function: | 7_2_0000023538D338C0 | |
| Source: | Code function: | 7_2_0000023538D338C0 | |
| Source: | Code function: | 7_2_0000023538D24670 | |
| Source: | Code function: | 7_2_0000023538D3EA50 | |
| Source: | Code function: | 7_2_0000023538D4423F | |
| Source: | Code function: | 7_2_0000023538D3B5B0 | |
| Source: | Code function: | 7_2_0000023538D359A0 | |
| Source: | Code function: | 7_2_0000023538D2BB70 | |
| Source: | Code function: | 7_2_0000023538D40B70 | |
| Source: | Code function: | 7_2_0000023538D44355 | |
| Source: | Code function: | 7_2_0000023538D26B90 | |
| Source: | Code function: | 7_2_0000023538D29380 | |
| Source: | Code function: | 7_2_0000023538D4431B | |
| Source: | Code function: | 7_2_0000023538D44336 | |
| Source: | Code function: | 7_2_0000023538D442EF | |
| Source: | Code function: | 7_2_0000023538D42EE0 | |
| Source: | Code function: | 7_2_0000023538D442AF | |
| Source: | Code function: | 7_2_0000023538D442CD | |
| Source: | Code function: | 14_2_0000024B66AEAC30 | |
| Source: | Code function: | 14_2_0000024B66AEA940 | |
| Source: | Code function: | 14_2_0000024B66AE6B90 | |
| Source: | Code function: | 14_2_0000024B66AEBB70 | |
| Source: | Code function: | 14_2_0000024B66B00B70 | |
| Source: | Code function: | 14_2_0000024B66AE9380 | |
| Source: | Code function: | 14_2_0000024B66B0431B | |
| Source: | Code function: | 14_2_0000024B66B042EF | |
| Source: | Code function: | 14_2_0000024B66B04355 | |
| Source: | Code function: | 14_2_0000024B66B04336 | |
| Source: | Code function: | 14_2_0000024B66AE7890 | |
| Source: | Code function: | 14_2_0000024B66AFDCE0 | |
| Source: | Code function: | 14_2_0000024B66AF84D0 | |
| Source: | Code function: | 14_2_0000024B66AE64E6 | |
| Source: | Code function: | 14_2_0000024B66AEE8E0 | |
| Source: | Code function: | 14_2_0000024B66B02CB0 | |
| Source: | Code function: | 14_2_0000024B66AF38C0 | |
| Source: | Code function: | 14_2_0000024B66AF38C0 | |
| Source: | Code function: | 14_2_0000024B66AFF460 | |
| Source: | Code function: | 14_2_0000024B66AF0060 | |
| Source: | Code function: | 14_2_0000024B66AF0060 | |
| Source: | Code function: | 14_2_0000024B66AF59A0 | |
| Source: | Code function: | 14_2_0000024B66AEE570 | |
| Source: | Code function: | 14_2_0000024B66AFB5B0 | |
| Source: | Code function: | 14_2_0000024B66AF6510 | |
| Source: | Code function: | 14_2_0000024B66AF08F0 | |
| Source: | Code function: | 14_2_0000024B66AE54F0 | |
| Source: | Code function: | 14_2_0000024B66AE4670 | |
| Source: | Code function: | 14_2_0000024B66B02EE0 | |
| Source: | Code function: | 14_2_0000024B66B042CD | |
| Source: | Code function: | 14_2_0000024B66B042AF | |
| Source: | Code function: | 14_2_0000024B66AFEA50 | |
| Source: | Code function: | 14_2_0000024B66B0423F | |
Networking: | |
|---|
| May check the online IP address of the machine | Show sources | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
E-Banking Fraud: | |
|---|
| Yara detected Trickbot | Show sources | ||
| Source: | File source: | ||
| Source: | Code function: | 6_2_0000023602440E30 | |
| Source: | Code function: | 6_2_000002360243B040 | |
| Source: | Code function: | 7_2_0000023538D2B040 | |
| Source: | Code function: | 7_2_0000023538D30E30 | |
| Source: | Code function: | 14_2_0000024B66AEB040 | |
| Source: | Code function: | 14_2_0000024B66AF0E30 | |
| Source: | Code function: | 4_2_6DD3C19C | |
| Source: | Code function: | 4_2_6DD3A853 | |
| Source: | Code function: | 4_2_6DD84DDD | |
| Source: | Code function: | 4_2_6DD321C0 | |
| Source: | Code function: | 4_2_6DD69660 | |
| Source: | Code function: | 4_2_6DD36369 | |
| Source: | Code function: | 4_2_6DD31000 | |
| Source: | Code function: | 4_2_6DD7260C | |
| Source: | Code function: | 6_2_0000023602440E30 | |
| Source: | Code function: | 6_2_0000023602448FF0 | |
| Source: | Code function: | 6_2_0000023602442CB0 | |
| Source: | Code function: | 6_2_00000236024385C0 | |
| Source: | Code function: | 6_2_00000236024325D0 | |
| Source: | Code function: | 6_2_00000236024459A0 | |
| Source: | Code function: | 6_2_000002360244C1A0 | |
| Source: | Code function: | 6_2_00000236024385B0 | |
| Source: | Code function: | 6_2_000002360244D670 | |
| Source: | Code function: | 6_2_000002360244FE10 | |
| Source: | Code function: | 6_2_0000023602435620 | |
| Source: | Code function: | 6_2_000002360243F630 | |
| Source: | Code function: | 6_2_0000023602449ED0 | |
| Source: | Code function: | 6_2_0000023602431AF0 | |
| Source: | Code function: | 6_2_0000023602439750 | |
| Source: | Code function: | 6_2_000002360244A760 | |
| Source: | Code function: | 6_2_000002360243BB70 | |
| Source: | Code function: | 6_2_0000023602440300 | |
| Source: | Code function: | 6_2_0000023602432B10 | |
| Source: | Code function: | 6_2_0000023602450320 | |
| Source: | Code function: | 6_2_00000236024333E0 | |
| Source: | Code function: | 6_2_000002360243DBE0 | |
| Source: | Code function: | 6_2_000002360243CBF0 | |
| Source: | Code function: | 6_2_000002360243EFB0 | |
| Source: | Code function: | 6_2_000002360244BC40 | |
| Source: | Code function: | 6_2_0000023602448800 | |
| Source: | Code function: | 6_2_000002360243E8E0 | |
| Source: | Code function: | 6_2_000002360244D0A0 | |
| Source: | Code function: | 6_2_00000236024370B0 | |
| Source: | Code function: | 6_2_0000023602433160 | |
| Source: | Code function: | 7_2_0000023538D38FF0 | |
| Source: | Code function: | 7_2_0000023538D32CB0 | |
| Source: | Code function: | 7_2_0000023538D30E30 | |
| Source: | Code function: | 7_2_0000023538D3BC40 | |
| Source: | Code function: | 7_2_0000023538D2CBF0 | |
| Source: | Code function: | 7_2_0000023538D2DBE0 | |
| Source: | Code function: | 7_2_0000023538D233E0 | |
| Source: | Code function: | 7_2_0000023538D38800 | |
| Source: | Code function: | 7_2_0000023538D2EFB0 | |
| Source: | Code function: | 7_2_0000023538D23160 | |
| Source: | Code function: | 7_2_0000023538D2E8E0 | |
| Source: | Code function: | 7_2_0000023538D270B0 | |
| Source: | Code function: | 7_2_0000023538D3D0A0 | |
| Source: | Code function: | 7_2_0000023538D3D670 | |
| Source: | Code function: | 7_2_0000023538D2F630 | |
| Source: | Code function: | 7_2_0000023538D25620 | |
| Source: | Code function: | 7_2_0000023538D3FE10 | |
| Source: | Code function: | 7_2_0000023538D285B0 | |
| Source: | Code function: | 7_2_0000023538D359A0 | |
| Source: | Code function: | 7_2_0000023538D3C1A0 | |
| Source: | Code function: | 7_2_0000023538D225D0 | |
| Source: | Code function: | 7_2_0000023538D285C0 | |
| Source: | Code function: | 7_2_0000023538D2BB70 | |
| Source: | Code function: | 7_2_0000023538D3A760 | |
| Source: | Code function: | 7_2_0000023538D40320 | |
| Source: | Code function: | 7_2_0000023538D29750 | |
| Source: | Code function: | 7_2_0000023538D21AF0 | |
| Source: | Code function: | 7_2_0000023538D22B10 | |
| Source: | Code function: | 7_2_0000023538D30300 | |
| Source: | Code function: | 7_2_0000023538D39ED0 | |
| Source: | Code function: | 14_2_0000024B66AEDBE0 | |
| Source: | Code function: | 14_2_0000024B66AE9750 | |
| Source: | Code function: | 14_2_0000024B66AF2CB0 | |
| Source: | Code function: | 14_2_0000024B66AF8FF0 | |
| Source: | Code function: | 14_2_0000024B66AFFE10 | |
| Source: | Code function: | 14_2_0000024B66AF0E30 | |
| Source: | Code function: | 14_2_0000024B66AEBB70 | |
| Source: | Code function: | 14_2_0000024B66AE33E0 | |
| Source: | Code function: | 14_2_0000024B66AEEFB0 | |
| Source: | Code function: | 14_2_0000024B66B00320 | |
| Source: | Code function: | 14_2_0000024B66AE2B10 | |
| Source: | Code function: | 14_2_0000024B66AE1AF0 | |
| Source: | Code function: | 14_2_0000024B66AF0300 | |
| Source: | Code function: | 14_2_0000024B66AFA760 | |
| Source: | Code function: | 14_2_0000024B66AFD0A0 | |
| Source: | Code function: | 14_2_0000024B66AEE8E0 | |
| Source: | Code function: | 14_2_0000024B66AE70B0 | |
| Source: | Code function: | 14_2_0000024B66AECBF0 | |
| Source: | Code function: | 14_2_0000024B66AF8800 | |
| Source: | Code function: | 14_2_0000024B66AFBC40 | |
| Source: | Code function: | 14_2_0000024B66AFC1A0 | |
| Source: | Code function: | 14_2_0000024B66AF59A0 | |
| Source: | Code function: | 14_2_0000024B66AE25D0 | |
| Source: | Code function: | 14_2_0000024B66AE85B0 | |
| Source: | Code function: | 14_2_0000024B66AE85C0 | |
| Source: | Code function: | 14_2_0000024B66AE3160 | |
| Source: | Code function: | 14_2_0000024B66AFD670 | |
| Source: | Code function: | 14_2_0000024B66AF9ED0 | |
| Source: | Code function: | 14_2_0000024B66AE5620 | |
| Source: | Code function: | 14_2_0000024B66AEF630 | |
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 6_2_0000023602431140 | |
| Source: | Code function: | 7_2_0000023538D21140 | |
| Source: | Code function: | 14_2_0000024B66AE1140 | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 4_2_6DD321C0 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 4_2_047F130A | |
| Source: | Code function: | 5_2_04B0130A | |
| Source: | Code function: | 5_2_04A507CD | |
| Source: | Code function: | 5_2_04A507CD | |
| Source: | Code function: | 5_2_04A507CD | |
| Source: | Code function: | 6_2_00000236024465F3 | |
| Source: | Code function: | 6_2_0000023602434351 | |
| Source: | Code function: | 7_2_0000023538D365F3 | |
| Source: | Code function: | 7_2_0000023538D24351 | |
| Source: | Code function: | 12_2_04FA130A | |
| Source: | Code function: | 14_2_0000024B66AE4351 | |
| Source: | Code function: | 14_2_0000024B66AF65F3 | |
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Delayed program exit found | Show sources | ||
| Source: | Code function: | 5_2_04A80B52 | |
| Source: | Code function: | 12_2_034E0A85 | |
| Source: | Code function: | 12_2_034E0B52 | |
| Found evasive API chain (trying to detect sleep duration tampering with parallel thread) | Show sources | ||
| Source: | Function Chain: | ||
| Source: | Function Chain: | ||
| Source: | Function Chain: | ||
| Tries to detect virtualization through RDTSC time measurements | Show sources | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Code function: | 6_2_000002360244E610 | |
| Source: | Code function: | 6_2_000002360243A940 | |
| Source: | Code function: | 7_2_0000023538D2A940 | |
| Source: | Code function: | 14_2_0000024B66AEA940 | |
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Code function: | 14_2_0000024B66AE4800 | |
| Source: | Code function: | 14_2_0000024B66AEAC30 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 6_2_000002360244E610 | |
| Source: | Code function: | 4_2_6DD69660 | |
| Source: | Code function: | 4_2_6DD321C0 | |
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Allocates memory in foreign processes | Show sources | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Writes to foreign memory regions | Show sources | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected Trickbot | Show sources | ||
| Source: | File source: | ||
| Yara detected Trickbot | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected Trickbot | Show sources | ||
| Source: | File source: | ||
| Yara detected Trickbot | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Native API11 | Path Interception | Access Token Manipulation1 | Disable or Modify Tools1 | OS Credential Dumping | Query Registry1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Process Injection212 | Virtualization/Sandbox Evasion11 | LSASS Memory | Security Software Discovery121 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Access Token Manipulation1 | Security Account Manager | Process Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection212 | NTDS | Virtualization/Sandbox Evasion11 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol3 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information2 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Rundll321 | Cached Domain Credentials | System Network Configuration Discovery11 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | File and Directory Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | System Information Discovery112 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| No Antivirus matches |
|---|
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | HEUR/AGEN.1138157 | Download File | ||
| 100% | Avira | HEUR/AGEN.1138157 | Download File | ||
| 100% | Avira | HEUR/AGEN.1138157 | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| ident.me | 176.58.123.25 | true | false | unknown | |
| ipinfo.io | 216.239.32.21 | true | false | high | |
| 3.52.17.84.cbl.abuseat.org | 127.0.0.2 | true | false | high | |
| 3.52.17.84.zen.spamhaus.org | unknown | unknown | false | high |
Contacted URLs |
|---|
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 216.239.32.21 | ipinfo.io | United States | 15169 | GOOGLEUS | false | |
| 117.252.68.211 | unknown | India | 9829 | BSNL-NIBNationalInternetBackboneIN | true |
General Information |
|---|
| Joe Sandbox Version: | 32.0.0 Black Diamond |
| Analysis ID: | 399327 |
| Start date: | 28.04.2021 |
| Start time: | 17:07:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 11m 6s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 29 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal88.troj.evad.winDLL@18/14@6/2 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| No simulations |
|---|
Joe Sandbox View / Context |
|---|
IPs |
|---|
| No context |
|---|
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| ident.me | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| BSNL-NIBNationalInternetBackboneIN | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 8916410db85077a5460817142dcbc8de | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12022 |
| Entropy (8bit): | 3.777335867200176 |
| Encrypted: | false |
| SSDEEP: | 192:t9XBim0oXDHBUZMX4jed+H/u7sUS274It7c+:nXBiAXDBUZMX4jeq/u7sUX4It7c+ |
| MD5: | 9FFF3572AB97E08BFA6AC2D24EAC383F |
| SHA1: | 09978D3F2620624380F5D76188ED6D6F9416D324 |
| SHA-256: | C84624D148F834B7D849D5732ACFD75244E9B405462564BBCBE3F0910CB19810 |
| SHA-512: | 5DDE669EEDFB998904220C30FB32E77CAA3CC8A4728F3FDB00F11BC1AC408A09BEAE5E59B8F3BC64F7EFA22537BAD33507BF29850A2B68772835D1B0AE6B7DCD |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12020 |
| Entropy (8bit): | 3.7778633723964874 |
| Encrypted: | false |
| SSDEEP: | 192:0p5iU0oXTHBUZMX4jed+H/u7sUS274It7ct:siiXTBUZMX4jeq/u7sUX4It7ct |
| MD5: | 842113DBB3213203E38CFB4DB0DEA028 |
| SHA1: | 2DEEB2F0D95D006B953C627E7910703F555B2D98 |
| SHA-256: | DFCE9486F826F1D19D09AB2DBD0924BE6C026887BD8B4401EB99C43F6212AC3A |
| SHA-512: | 0399EDB53C6E73E6DB0DE0D762818B77A6FAF0D3C2EE0761634109A45805036A78F077B5196E9CE7E74A8AB1C55C1F20784750E6F40BF554E274225FE89D7C7B |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12022 |
| Entropy (8bit): | 3.777635997193173 |
| Encrypted: | false |
| SSDEEP: | 192:Bogic0oXLHBUZMX4jed+H/u7svS274It7c/:qgi6XrBUZMX4jeq/u7svX4It7c/ |
| MD5: | 386FAB2ABCCD41ABE0F3B8E45351339D |
| SHA1: | BDE4A9774F1BDB5D4F54BE292AE5B2D94C8FB226 |
| SHA-256: | 05153ABE1D13AC27E807AE85B10A9BDB8A368EB86423EEDB867B67996D04EC71 |
| SHA-512: | 332CDC437380DC2BDB842F281D4387C9D994C24DAB39660FCA67214F4C96DFC324F38B106792B7D6AEC7B27F20E158BB90E5B2C4660B309C95E54C53CAEE014B |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 67658 |
| Entropy (8bit): | 1.6479708343690704 |
| Encrypted: | false |
| SSDEEP: | 192:s8xld5wuChYvoSTCkA/htQ5XAPICExIjeqiUikVcRkpM4EgPhn8:Pxld3ChYgpJ/bs+ICEOi+iMOkpMzIh8 |
| MD5: | 5144A9413BBA0CAE623F9024E5692C06 |
| SHA1: | 68FEFCC45DCD98C0C7AB98A06B58A1378CD2A962 |
| SHA-256: | 2CC055E3C53390D86719CC1D94925571830775AD4F582302DA2F7D49CBC24B80 |
| SHA-512: | DE5C68DF5D38782E8EF390C100D2C24DF25590185E063589EF28770F02B43A6BD936970470E035508D220EDAEC7DD7AFBE883F303976F7B43904FCA0FEE66801 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 68618 |
| Entropy (8bit): | 1.6599488969509846 |
| Encrypted: | false |
| SSDEEP: | 192:SmTlrCgZ3svG8IjeqiUikVt+kUnJTftiJQcK1n4c:b5mgZcvWi+iMtCJTftUw4c |
| MD5: | CCEC2014F90E39B0FD9298B1C16AC707 |
| SHA1: | DFE9177E6433065BFBA713DCEAAE0471DFC6A5DD |
| SHA-256: | FCB69806E42E6C7BE30E8EAB576F3A7ABFDF1FCC6BDA86AE9B5EB4ED189D8716 |
| SHA-512: | 5C63727FF5F978E8E61821B708B8A0EE8BF3DEC57AA3871BD85F554F5682A0D6194866673EB0905E3E2E96225FAA3B711A5A517497C836B6DAD710EC0F66FBD5 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8362 |
| Entropy (8bit): | 3.69570843444687 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNi6D6Pes6YX162gmf8dS4CprQ89bAnTsfxnAm:RrlsNi+6Pes6Yl62gmf8dStAn4fxl |
| MD5: | E86C23DD9AB7CF965EE4BE61873D3EBF |
| SHA1: | CBCC377A81BD623AD8287EAD4C7D7150882EA6A8 |
| SHA-256: | 19A5DC5BA30386720580BAB19669F61055D31C1C916FA472ECDC3CF8AB70DC86 |
| SHA-512: | 3EC6EA1A40195732D0FFC9616A2D0D5D5467F627A81216B6770EA61F00A97C9AB4CCFFE014AC23056BBC5325B2D7C763836906AFE10C10F4C17F2B5FE7AECB26 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 67678 |
| Entropy (8bit): | 1.6851785096659588 |
| Encrypted: | false |
| SSDEEP: | 192:90PUnFo5eYZI68n967sgIjeqiUikVFzF8M6M1U//nJ:iP/UYG9Egi+iMVF8M69//J |
| MD5: | 31DCDC052C2C02FCAD819E734DBAD318 |
| SHA1: | C89EE77266B42299549B28D86BEE23EBD545A7F0 |
| SHA-256: | 4D43D8D7167E0C653E612621F8A395F3B6AFE2B7F42B57AB6CE6C753594084B8 |
| SHA-512: | B8AB7887D19331BF1B7A45E775E3D20A468E6B00CD672B685B4C3BA3E17E6C29A7C2D31C6CE47C8F3B90330701EFBDD2D6E008094B9F75E4C8A2ABCDA140C0AC |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8358 |
| Entropy (8bit): | 3.6963563878911425 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNiMTs6CX5Xo6YSV63gmf8dS4CprFq89bAnisfZCAm:RrlsNiMY6CJ46Yg63gmf8dSRAnhfZ0 |
| MD5: | 46F1EBE12628221CBDCC3564EA41F1DF |
| SHA1: | B70F04040843FEB1EE9D1D7F275C2863D33290A0 |
| SHA-256: | 6A7397EA241681C8D636D3A652DE73AA2D1EEFFAC1565AFF1631C0F90E6DA6DA |
| SHA-512: | A243B3565BAD7FD604B11CB6A5F64859D5A5EE277572DB15CF2CC25BF88923F669EB318B93CFE3A47B051311834E6807B1FFBC1639EFC9171A78597BC465DF6E |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4770 |
| Entropy (8bit): | 4.485901687905486 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zsDJgtWI9OgWSC8B98fm8M4JCdsjMFRP+q8vjsj74SrSsad:uITfdhZSNcJJGPKO7DWPd |
| MD5: | C150636EE7137591E56D7E4A525090E7 |
| SHA1: | 33550A6028EF4F4FD2BDB80B40074D5F21FFE0E7 |
| SHA-256: | D5E4D2A5120B3AB302E68A13A3309770CFA6E734B28A8FC3BA604CA91CC27658 |
| SHA-512: | 84C334FFBDBE22C3D5777E7674994A54D25AEF94FB98C4EE94B78268606E05E50E1E48F1B4381B70F0E2CB0B4D1333D7A6296CD6543F51D408EE12845CC62E48 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4770 |
| Entropy (8bit): | 4.485313250774103 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zsDJgtWI9OgWSC8Bo8fm8M4JCdsjMFu+q8vjsjF4SrS0d:uITfdhZSNLJJvKOFDW0d |
| MD5: | 73F6D868CF7E1C56F1ECFECFA428BF03 |
| SHA1: | 3D5C17DFC539330EC2E2FBF22CE02FC9F5DBD97C |
| SHA-256: | D04FBCFD538200D6FD6BFFDEE222E002E60D049C37CBFCB4F25AECB8465B081F |
| SHA-512: | A3D7FF7E902B44CA4192D5FD5CEDC0B3AAD1F20D765B11F0C0AAC82B0A93306B1B71166CC009C2BD262B2FCB0CAEDD2DFED17CD21E9058425B76CF81A1ADDC3D |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8364 |
| Entropy (8bit): | 3.69610550835962 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNiKj56VWL6YXPo62gmf8dS4Cprx89bHb8sfNtjm:RrlsNiI6VWL6Yg62gmf8dSeHbPf36 |
| MD5: | DBEFE80B11BE193217783F870869FFF1 |
| SHA1: | DB20688898F5A1EB3A4FDC8A8CF143DA06AAB010 |
| SHA-256: | 7D9C7FB03E110961F8E03A503C0FBE71121DC4FF8CB70673869E5828EC6FECD6 |
| SHA-512: | ECE13E21DC74D5CA3BF711A72E5C90A2AF6BA04C9B2962C4C94A74D70A6F7FAA05EF4C2613525F58BC73CE68B0643EF47162D004FC421BB97AD58DF0C2A064E1 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4770 |
| Entropy (8bit): | 4.48628973062307 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zsDJgtWI9OgWSC8BI8fm8M4JCdsjMFio+q8vjsjr4SrSAd:uITfdhZSNnJJ7oKOrDWAd |
| MD5: | 427DF268236865246DCF50AF4C20E03B |
| SHA1: | F563EC2C0330E7A45B588BF7173C80A2AD52AAF9 |
| SHA-256: | BEEADE399CF1B212531CA1D3C024722DB9B3796AB08CC5B3646F5C5738B43CFF |
| SHA-512: | 0D20975D3334B626117876C3B5603B9BF54AEE7009E4C9468CA3B91DD436ECA90B16AC1CDF8F923FA6BCFE4C1163F782055B6892F84D187802C329CCBA62FE5C |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\wermgr.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 58596 |
| Entropy (8bit): | 7.995478615012125 |
| Encrypted: | true |
| SSDEEP: | 1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ |
| MD5: | 61A03D15CF62612F50B74867090DBE79 |
| SHA1: | 15228F34067B4B107E917BEBAF17CC7C3C1280A8 |
| SHA-256: | F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D |
| SHA-512: | 5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3 |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\System32\wermgr.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 326 |
| Entropy (8bit): | 3.123116142976021 |
| Encrypted: | false |
| SSDEEP: | 6:kKBWswTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:JWswTJrkPlE99SNxAhUe0ht |
| MD5: | 8B4156767ABA54BC9C1394B5F8AD2D27 |
| SHA1: | 10EA671DF8B8D84E1B7214A7500BE25C27020711 |
| SHA-256: | 3BEF1A9573DFC9BE29E81AD609CE17CEC5C2258DB8EDD5B59A0096D90EE9E723 |
| SHA-512: | 7039B1B078B7D3D374763F6F509DDB40F5F76936ABB33B7FCCBCF099EB65388A61FB68235EAD01E01D5FB435A4D6062ECD368D6A9FD9A0CC8AFBE13906E10D7E |
| Malicious: | false |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 6.606098630665599 |
| TrID: |
|
| File name: | fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll |
| File size: | 1375832 |
| MD5: | 526bd61e387de23722e171a34dcd7016 |
| SHA1: | 9007dece802951a0f29c9ab84085e7d1920099f6 |
| SHA256: | 7d35c3abef65ed1d81d2f70944db31ba2a8cc703f1ccf8b82ca7b3929b8233e1 |
| SHA512: | 9c4ef33c8084b928fff5025b6c3045c9fdea3289e7e71206a9ef6e77496f9758cc4ba123182a32b4518708259df99818429f31172e6b19f8d87a6b4dd0bde2b8 |
| SSDEEP: | 12288:ipb7Lvt5N5xg+KXHXp6p5mNISQlHH/u+lQd2arxszWrHP+4ktXk0K+QPQNc:ipb7Lvt5N5xg2qd2UPSy0ePp |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................Rich....................PE..L......`...........!.....D................. |
File Icon |
|---|
 | |
| Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x10001000 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x10000000 |
| Subsystem: | native |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x6087BC1F [Tue Apr 27 07:24:15 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | dd7a9fcfd98a20212beef73d23eba6f9 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| push ebp |
| push ebx |
| push edi |
| push esi |
| sub esp, 54h |
| mov eax, dword ptr [10151088h] |
| mov ecx, dword ptr [10151084h] |
| lea edx, dword ptr [eax-01h] |
| imul edx, eax |
| xor eax, eax |
| dec eax |
| xor edx, eax |
| or edx, FFFFFFFEh |
| cmp edx, eax |
| mov eax, ACFFF8E6h |
| sete byte ptr [esp+15h] |
| cmp ecx, 0Ah |
| setl byte ptr [esp+16h] |
| cmp eax, 2E7BAD0Ch |
| jnle 00007F56B8BDA07Eh |
| cmp eax, 9D42655Dh |
| je 00007F56B8BDA099h |
| cmp eax, ACFFF8E6h |
| je 00007F56B8BDA0DAh |
| cmp eax, F5808584h |
| jne 00007F56B8BDA046h |
| mov eax, 9D42655Dh |
| jmp 00007F56B8BDA03Fh |
| cmp eax, 2E7BAD0Dh |
| je 00007F56B8BDA0EFh |
| cmp eax, 6E84CF46h |
| je 00007F56B8BDA92Eh |
| cmp eax, 7A073C9Eh |
| jne 00007F56B8BDA022h |
| jmp 00007F56B8BDB19Fh |
| mov eax, dword ptr [10151088h] |
| cmp dword ptr [esp+6Ch], 01h |
| mov esi, 6E84CF46h |
| mov edi, F5808584h |
| lea ecx, dword ptr [eax-01h] |
| sete byte ptr [esp+17h] |
| imul ecx, eax |
| mov eax, ecx |
| xor eax, FFFFFFFEh |
| test eax, ecx |
| mov eax, F5808584h |
| sete cl |
| cmove eax, esi |
| cmp dword ptr [10151084h], 0Ah |
| setl dl |
| cmovnl eax, edi |
| xor dl, cl |
| cmovne eax, esi |
| jmp 00007F56B8BD9FD8h |
| mov cl, byte ptr [esp+15h] |
| mov al, byte ptr [esp+00h] |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x14c040 | 0x44 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14c154 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x152000 | 0x1018 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x14c020 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xe6000 | 0x20 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xe42c2 | 0xe4400 | False | 0.118341619318 | data | 6.67783430633 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0xe6000 | 0x661de | 0x66200 | False | 0.710566956089 | data | 5.45913192024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x14d000 | 0x408c | 0x4200 | False | 0.697502367424 | data | 5.36135767092 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .reloc | 0x152000 | 0x1018 | 0x1200 | False | 0.619574652778 | data | 5.20239315796 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Imports |
|---|
| DLL | Import |
|---|---|
| KERNEL32.dll | VirtualFree, LoadLibraryA, GetProcAddress, VirtualAlloc |
Exports |
|---|
| Name | Ordinal | Address |
|---|---|---|
| StartW | 1 | 0x100021c0 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 28, 2021 17:08:22.734883070 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:08:23.190110922 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:08:23.190352917 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:08:23.220391989 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:08:23.702476978 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:08:23.753757000 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:08:23.789621115 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:08:24.251329899 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:08:24.402605057 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:08:57.346214056 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:08:57.958123922 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:08:58.118437052 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:08:58.217983961 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:08:58.993257999 CEST | 49716 | 80 | 192.168.2.5 | 216.239.32.21 |
| Apr 28, 2021 17:08:59.037867069 CEST | 80 | 49716 | 216.239.32.21 | 192.168.2.5 |
| Apr 28, 2021 17:08:59.038062096 CEST | 49716 | 80 | 192.168.2.5 | 216.239.32.21 |
| Apr 28, 2021 17:08:59.043179989 CEST | 49716 | 80 | 192.168.2.5 | 216.239.32.21 |
| Apr 28, 2021 17:08:59.084278107 CEST | 80 | 49716 | 216.239.32.21 | 192.168.2.5 |
| Apr 28, 2021 17:08:59.200871944 CEST | 80 | 49716 | 216.239.32.21 | 192.168.2.5 |
| Apr 28, 2021 17:08:59.281435966 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:08:59.405586958 CEST | 49716 | 80 | 192.168.2.5 | 216.239.32.21 |
| Apr 28, 2021 17:08:59.751532078 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:09:00.111414909 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:09:00.111534119 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:09:00.111617088 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:09:00.111643076 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:09:00.800528049 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:09:01.271193981 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:09:01.508316994 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:09:01.626394987 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:09:02.084266901 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:09:02.399158955 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:09:02.454257011 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:09:02.937129974 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:09:03.178805113 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:09:03.405844927 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:09:03.449820995 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:09:04.036609888 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:09:04.162647009 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:09:04.218492985 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:10:09.188874960 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:10:09.188903093 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:10:09.189481020 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:10:09.212331057 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:10:09.212379932 CEST | 49712 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:10:09.724905968 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:10:09.724927902 CEST | 443 | 49712 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:10:12.772166967 CEST | 49716 | 80 | 192.168.2.5 | 216.239.32.21 |
| Apr 28, 2021 17:10:12.814766884 CEST | 80 | 49716 | 216.239.32.21 | 192.168.2.5 |
| Apr 28, 2021 17:10:12.814918041 CEST | 49716 | 80 | 192.168.2.5 | 216.239.32.21 |
| Apr 28, 2021 17:11:02.310023069 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:02.804231882 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:02.808007956 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:02.810683966 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:03.339526892 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:03.373402119 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:03.378614902 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:03.893985033 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:03.922416925 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:04.454848051 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:04.661617041 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:04.728499889 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:05.042570114 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:05.629462004 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:06.132323027 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:06.132350922 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:06.132450104 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:06.191734076 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:07.207998991 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:07.669682026 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:07.909128904 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:07.910717010 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:08.381062031 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:08.745474100 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:08.746862888 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:09.294528008 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:09.464015007 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
| Apr 28, 2021 17:11:09.525755882 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:09.585040092 CEST | 49717 | 443 | 192.168.2.5 | 117.252.68.211 |
| Apr 28, 2021 17:11:10.053153992 CEST | 443 | 49717 | 117.252.68.211 | 192.168.2.5 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 28, 2021 17:07:48.160593033 CEST | 65307 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:07:48.200809956 CEST | 64344 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:07:48.209230900 CEST | 53 | 65307 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:07:48.254340887 CEST | 53 | 64344 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:07:48.445698023 CEST | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:07:48.494424105 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:07:50.216670036 CEST | 61805 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:07:50.268507004 CEST | 53 | 61805 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:07:52.913378000 CEST | 54795 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:07:52.962208986 CEST | 53 | 54795 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:07:54.210639954 CEST | 49557 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:07:54.291165113 CEST | 53 | 49557 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:07:56.088862896 CEST | 61733 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:07:56.149188995 CEST | 53 | 61733 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:07:57.780459881 CEST | 65447 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:07:57.834247112 CEST | 53 | 65447 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:07:58.748929024 CEST | 52441 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:07:58.800805092 CEST | 53 | 52441 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:07:59.553164005 CEST | 62176 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:07:59.604929924 CEST | 53 | 62176 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:08:01.695460081 CEST | 59596 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:08:01.744214058 CEST | 53 | 59596 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:08:03.339021921 CEST | 65296 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:08:03.400693893 CEST | 53 | 65296 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:08:08.655849934 CEST | 63183 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:08:08.704713106 CEST | 53 | 63183 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:08:09.613068104 CEST | 60151 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:08:09.671700001 CEST | 53 | 60151 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:08:11.723964930 CEST | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:08:11.777609110 CEST | 53 | 56969 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:08:16.887226105 CEST | 55161 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:08:16.935991049 CEST | 53 | 55161 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:08:27.508649111 CEST | 54757 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:08:27.568825006 CEST | 53 | 54757 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:08:36.145446062 CEST | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:08:36.205780983 CEST | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:08:43.770411968 CEST | 60075 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:08:43.833728075 CEST | 53 | 60075 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:08:58.928292036 CEST | 55016 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:08:58.978487968 CEST | 53 | 55016 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:09:03.217358112 CEST | 64345 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:09:03.311316013 CEST | 53 | 64345 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:09:03.324460983 CEST | 57128 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:09:03.384957075 CEST | 53 | 57128 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:11:03.327486038 CEST | 54791 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:11:03.386709929 CEST | 53 | 54791 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:11:04.729396105 CEST | 50463 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:11:04.789280891 CEST | 53 | 50463 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:11:09.466181040 CEST | 50394 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:11:09.524808884 CEST | 53 | 50394 | 8.8.8.8 | 192.168.2.5 |
| Apr 28, 2021 17:11:09.526842117 CEST | 58530 | 53 | 192.168.2.5 | 8.8.8.8 |
| Apr 28, 2021 17:11:09.583750010 CEST | 53 | 58530 | 8.8.8.8 | 192.168.2.5 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Apr 28, 2021 17:08:58.928292036 CEST | 192.168.2.5 | 8.8.8.8 | 0x99eb | Standard query (0) | A (IP address) | IN (0x0001) | |
| Apr 28, 2021 17:09:03.217358112 CEST | 192.168.2.5 | 8.8.8.8 | 0x866b | Standard query (0) | A (IP address) | IN (0x0001) | |
| Apr 28, 2021 17:09:03.324460983 CEST | 192.168.2.5 | 8.8.8.8 | 0xeeb | Standard query (0) | A (IP address) | IN (0x0001) | |
| Apr 28, 2021 17:11:04.729396105 CEST | 192.168.2.5 | 8.8.8.8 | 0x1287 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Apr 28, 2021 17:11:09.466181040 CEST | 192.168.2.5 | 8.8.8.8 | 0x49ca | Standard query (0) | A (IP address) | IN (0x0001) | |
| Apr 28, 2021 17:11:09.526842117 CEST | 192.168.2.5 | 8.8.8.8 | 0x219a | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Apr 28, 2021 17:08:58.978487968 CEST | 8.8.8.8 | 192.168.2.5 | 0x99eb | No error (0) | 216.239.32.21 | A (IP address) | IN (0x0001) | ||
| Apr 28, 2021 17:08:58.978487968 CEST | 8.8.8.8 | 192.168.2.5 | 0x99eb | No error (0) | 216.239.38.21 | A (IP address) | IN (0x0001) | ||
| Apr 28, 2021 17:08:58.978487968 CEST | 8.8.8.8 | 192.168.2.5 | 0x99eb | No error (0) | 216.239.36.21 | A (IP address) | IN (0x0001) | ||
| Apr 28, 2021 17:08:58.978487968 CEST | 8.8.8.8 | 192.168.2.5 | 0x99eb | No error (0) | 216.239.34.21 | A (IP address) | IN (0x0001) | ||
| Apr 28, 2021 17:09:03.311316013 CEST | 8.8.8.8 | 192.168.2.5 | 0x866b | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
| Apr 28, 2021 17:09:03.384957075 CEST | 8.8.8.8 | 192.168.2.5 | 0xeeb | No error (0) | 127.0.0.2 | A (IP address) | IN (0x0001) | ||
| Apr 28, 2021 17:11:04.789280891 CEST | 8.8.8.8 | 192.168.2.5 | 0x1287 | No error (0) | 176.58.123.25 | A (IP address) | IN (0x0001) | ||
| Apr 28, 2021 17:11:09.524808884 CEST | 8.8.8.8 | 192.168.2.5 | 0x49ca | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
| Apr 28, 2021 17:11:09.583750010 CEST | 8.8.8.8 | 192.168.2.5 | 0x219a | No error (0) | 127.0.0.2 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
|---|
|
HTTP Packets |
|---|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49716 | 216.239.32.21 | 80 | C:\Windows\System32\wermgr.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Apr 28, 2021 17:08:59.043179989 CEST | 679 | OUT | |
| Apr 28, 2021 17:08:59.200871944 CEST | 679 | IN |
HTTPS Packets |
|---|
| Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 28, 2021 17:08:23.753757000 CEST | 117.252.68.211 | 443 | 192.168.2.5 | 49712 | O=Internet Widgits Pty Ltd, ST=Some-State, C=AU | O=Internet Widgits Pty Ltd, ST=Some-State, C=AU | Mon Apr 19 22:44:16 CEST 2021 | Tue Apr 19 22:44:16 CEST 2022 | 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,5-10-11-13-35-23-65281,29-23-24,0 | 8916410db85077a5460817142dcbc8de |
| Apr 28, 2021 17:11:03.373402119 CEST | 117.252.68.211 | 443 | 192.168.2.5 | 49717 | O=Internet Widgits Pty Ltd, ST=Some-State, C=AU | O=Internet Widgits Pty Ltd, ST=Some-State, C=AU | Mon Apr 19 22:44:16 CEST 2021 | Tue Apr 19 22:44:16 CEST 2022 | 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,5-10-11-13-35-23-65281,29-23-24,0 | 8916410db85077a5460817142dcbc8de |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 17:07:55 |
| Start date: | 28/04/2021 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xb20000 |
| File size: | 116736 bytes |
| MD5 hash: | 542795ADF7CC08EFCF675D65310596E8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:07:55 |
| Start date: | 28/04/2021 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x150000 |
| File size: | 232960 bytes |
| MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:07:55 |
| Start date: | 28/04/2021 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd30000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 17:07:55 |
| Start date: | 28/04/2021 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd30000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 17:07:57 |
| Start date: | 28/04/2021 |
| Path: | C:\Windows\System32\wermgr.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff662b40000 |
| File size: | 209312 bytes |
| MD5 hash: | FF214585BF10206E21EA8EBA202FACFD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:07:57 |
| Start date: | 28/04/2021 |
| Path: | C:\Windows\System32\wermgr.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff662b40000 |
| File size: | 209312 bytes |
| MD5 hash: | FF214585BF10206E21EA8EBA202FACFD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:07:59 |
| Start date: | 28/04/2021 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1030000 |
| File size: | 434592 bytes |
| MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:07:59 |
| Start date: | 28/04/2021 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd30000 |
| File size: | 61952 bytes |
| MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
General |
|---|
| Start time: | 17:07:59 |
| Start date: | 28/04/2021 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1030000 |
| File size: | 434592 bytes |
| MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:08:00 |
| Start date: | 28/04/2021 |
| Path: | C:\Windows\System32\wermgr.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff662b40000 |
| File size: | 209312 bytes |
| MD5 hash: | FF214585BF10206E21EA8EBA202FACFD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 17:08:02 |
| Start date: | 28/04/2021 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1030000 |
| File size: | 434592 bytes |
| MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Function 6DD3C19C, Relevance: 1547.0, APIs: 1, Strings: 1017, Instructions: 20001memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 047F1010, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowtimesleepCOMMON
Download Yara Rule
| C-Code - Quality: 55% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 047F1151, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 254windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD36369, Relevance: 14.2, Strings: 11, Instructions: 493COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD69660, Relevance: 2.7, Strings: 2, Instructions: 235COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
Function 04A80B52, Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04B01010, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowtimesleepCOMMON
Download Yara Rule
| C-Code - Quality: 55% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04B01151, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 254windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04A80873, Relevance: 6.4, APIs: 4, Instructions: 435COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Executed Functions |
|---|
Function 0000023602448FF0, Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 1014timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602454910, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602439BF0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 215COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602437D80, Relevance: 1.6, APIs: 1, Instructions: 150synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000002360243D940, Relevance: 1.6, APIs: 1, Instructions: 74libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000002360243E8E0, Relevance: .5, Instructions: 517COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000002360244DCE0, Relevance: .4, Instructions: 400COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000236024408F0, Relevance: .3, Instructions: 332COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602440060, Relevance: .3, Instructions: 291COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000002360244B5B0, Relevance: .2, Instructions: 229COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000002360243AC30, Relevance: .2, Instructions: 191COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000002360245423F, Relevance: .2, Instructions: 181COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000236024542EF, Relevance: .2, Instructions: 171COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000236024542AF, Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602454355, Relevance: .2, Instructions: 169COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000236024542CD, Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602454336, Relevance: .2, Instructions: 166COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000002360245431B, Relevance: .2, Instructions: 165COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602437890, Relevance: .2, Instructions: 152COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602452EE0, Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000002360244F460, Relevance: .1, Instructions: 98COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602436B90, Relevance: .1, Instructions: 85COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000002360243E570, Relevance: .1, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602452CB0, Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000236024484D0, Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602434670, Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00000236024354F0, Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602446510, Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023602450B70, Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 000002360244E610, Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Executed Functions |
|---|
Function 0000023538D38FF0, Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 1014timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023538D44910, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023538D29BF0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 215COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023538D27D80, Relevance: 1.6, APIs: 1, Instructions: 150synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0000023538D2D940, Relevance: 1.6, APIs: 1, Instructions: 74libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Executed Functions |
|---|
Function 034E0A85, Relevance: 3.1, APIs: 2, Instructions: 56sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 034E0B52, Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04FA1010, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowtimesleepCOMMON
Download Yara Rule
| C-Code - Quality: 55% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 04FA1151, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 254windowtimeCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Yara matches |
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
Executed Functions |
|---|
Function 0000024B66AF8FF0, Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1014timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|