Windows
Analysis Report
P355uy6y7d
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
.NET source code contains potential unpacker
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains strange resources
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
HTTP GET or POST without a user agent
Enables debug privileges
Classification
- System is w10x64
P355uy6y7d.exe (PID: 6948 cmdline:
"C:\Users\ user\Deskt op\P355uy6 y7d.exe" MD5: 36CF17949DE5C5B6352C9D43AE2B6171) WerFault.exe (PID: 5052 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 948 -s 136 0 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process created: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | File opened: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | .Net Code: |
Source: | Static PE information: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Binary or memory string: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Process token adjusted: |
Source: | Memory allocated: |
Source: | Queries volume information: |
Source: | Key value queried: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 2 Command and Scripting Interpreter | Path Interception | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Query Registry | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | 1 Non-Application Layer Protocol | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Disable or Modify Tools | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Software Packing | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Process Injection | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Timestomp | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
28% | Virustotal | Browse | ||
20% | ReversingLabs | Win64.Trojan.Generic | ||
100% | Avira | HEUR/AGEN.1216637 | ||
100% | Joe Sandbox ML |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1216637 | Download File | ||
100% | Avira | HEUR/AGEN.1216637 | Download File | ||
100% | Avira | HEUR/AGEN.1216637 | Download File | ||
100% | Avira | HEUR/AGEN.1216637 | Download File |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe |
⊘No contacted domains info
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
194.87.31.4 | unknown | Russian Federation | 49392 | ASBAXETNRU | false |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 630062 |
Start date and time: 19/05/202212:57:10 | 2022-05-19 12:57:10 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 24s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | P355uy6y7d (renamed file extension from none to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 23 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal64.evad.winEXE@2/4@0/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, a udiodg.exe, BackgroundTransfer Host.exe, WerFault.exe, WMIADA P.exe, conhost.exe, background TaskHost.exe, svchost.exe, wua pihost.exe - TCP Packets have been reduced
to 100 - Excluded IPs from analysis (wh
itelisted): 104.208.16.94 - Excluded domains from analysis
(whitelisted): client.wns.win dows.com, fs.microsoft.com, ct ldl.windowsupdate.com, arc.msn .com, ris.api.iris.microsoft.c om, store-images.s-microsoft.c om, login.live.com, blobcollec tor.events.data.trafficmanager .net, sls.update.microsoft.com , displaycatalog.mp.microsoft. com, img-prod-cms-rt-microsoft -com.akamaized.net, watson.tel emetry.microsoft.com, onedsblo bprdcus16.centralus.cloudapp.a zure.com - Execution Graph export aborted
for target P355uy6y7d.exe, PI D 6948 because it is empty - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtSetInformationFile c alls found.
Time | Type | Description |
---|---|---|
12:58:56 | API Interceptor |
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.0911164644330105 |
Encrypted: | false |
SSDEEP: | 96:djFGMn50+XgIfuaQqYMlHGxsiKpXIQcQUc6FcE/cw37Dp+BHUHZ0ownOgFkEwk6s:BVz3wUHKBlIa1cOqyG/u7sPS274ltE |
MD5: | 1112C2BDE6D1FAD635C04BA83E7CA865 |
SHA1: | 2847CCADEA24E94449BFD17B116637B90897FE0C |
SHA-256: | CA821EFDA66FA874FBD009C6828BE681F29DF13AE5E8D5727C529A04579A6608 |
SHA-512: | 5F73B055428160E1CF48965FFAB0C18966A4D6981CA669F43CD8F7473AA2B438B57D91792E6B3383D2C361416CC4199D1107DB39B5AE71F885F2688A4C261D50 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 401160 |
Entropy (8bit): | 2.957989987936535 |
Encrypted: | false |
SSDEEP: | 3072:L4kWg6wrnwak1v5QH0G4lmF0+/QgqjGeahYr4PZkl9cfdW+JrRyw:sk3nrOjH1WY8PZvW+7l |
MD5: | 3E6762E99AFEBC71C19EB8452630C15B |
SHA1: | 3079004F1AB77448470251BB97D484F6BC7E6129 |
SHA-256: | 1E6CE67EE6738DA9B14502509FDEF27810F93D8EB80B5091B61266687096FB95 |
SHA-512: | 655034E064492FF548321FCF580D2F859D988C2418A46965432C14861D396521A35CEF99EC8618E81D2E783357B477ED9E07B65250C1BDA9C16C8B0AA89D8CAA |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8800 |
Entropy (8bit): | 3.6960811409252265 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiZ6te6YoiI9Ml4ZgmfZQSnCprH89bn2dfrNm:RrlsNi0E6YdI9McgmfKSnnUfs |
MD5: | 5F578A64C53EA0CC21393A2D36DAAC59 |
SHA1: | B3E190E53ED2C81A84F270F773214C5D05595778 |
SHA-256: | 45B85F0082969CFAD98AAEDBB3C2A0A9EA1E72084C9E6DEF3D441303E535902C |
SHA-512: | C3B4B1B698CC62EFD56E8020F2E00AF4423DE324F5E9E98FD04FFF796EAC078E12ECE7D120D0F1B934F7F7F61E0A1AA7005B3A60FD1E5BDDEDE18CD8D288A541 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4795 |
Entropy (8bit): | 4.462266573144948 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsuJgtBI9tkcWgc8sqYjh8fm8M4JwMNzsFP1oyq8veNzWT5ABd:uITfkAVgrsqYaJwM6oWeQT5ABd |
MD5: | 03188F452F07F1FB52381AAB2183D0BD |
SHA1: | 90DB7B7C8D1A40F5BCB1AB4AE408795D0158B3E1 |
SHA-256: | FF42CDA6F5C9076D66BB53A15F526A887C60399B9DD3697E4DA6E3DB7822ADC6 |
SHA-512: | 6CB34A36BDC0B8E52F3AD6670B37EF13EDF3E2187558A27477D2DF7D0750C6E9C5D05A1D6E31662059FF309C20E9A5777C48E0EF780D76B53BCE954B282938FE |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.920655166214458 |
TrID: |
|
File name: | P355uy6y7d.exe |
File size: | 2276808 |
MD5: | 36cf17949de5c5b6352c9d43ae2b6171 |
SHA1: | 44b8ca8856a490f67bd87b61aaee9fa659861813 |
SHA256: | 4e88ad28c28a0c02bec0b70271acf0ad1898f64ee1e9ef5a86f844001fb3a19a |
SHA512: | 7918342745abccc91d6cd65b1450463929aad89ce373b168cbf2ff0c93d0677bf4a391d19eee0fea57146e1e47c80240c56435eff86980791a35ff5c9896ded7 |
SSDEEP: | 49152:Ayuh7CBWXj2KeHJmuAK3u5LBE3cRJ0/fyJPU+XAzpHjoPqp:tQ7HPeN7+5nRJ8AfO3p |
TLSH: | B3B500919965CC89D4A6DFF328F685B7D30E1FED6E2094AC3240FF351AB64AC1B40D26 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....r............"...0... .............. .....@..... ........................"...........@...@......@............... ..... |
Icon Hash: | e8b2f0f0ecf0f2e8 |
Entrypoint: | 0x140000000 |
Entrypoint Section: | |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0xFF1B72D1 [Mon Aug 17 21:49:05 2105 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: |
Signature Valid: | false |
Signature Issuer: | CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | D15B2B9631F8B37BA8D83A5AE528A8BB |
Thumbprint SHA-1: | 8740DF4ACB749640AD318E4BE842F72EC651AD80 |
Thumbprint SHA-256: | 2EB421FBB33BBF9C8F6B58C754B0405F40E02CB6328936AAE39DB7A24880EA21 |
Serial: | 33000002528B33AAF895F339DB000000000252 |
Instruction |
---|
dec ebp |
pop edx |
nop |
add byte ptr [ebx], al |
add byte ptr [eax], al |
add byte ptr [eax+eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x204000 | 0x27f96 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x229600 | 0x27c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2000 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x20133c | 0x201400 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0x204000 | 0x27f96 | 0x28000 | False | 0.0666687011719 | data | 3.46254253895 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x204280 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0x214aa8 | 0x94a8 | data | ||
RT_ICON | 0x21df50 | 0x5488 | data | ||
RT_ICON | 0x2233d8 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4282318848 | ||
RT_ICON | 0x227600 | 0x25a8 | data | ||
RT_ICON | 0x229ba8 | 0x10a8 | data | ||
RT_ICON | 0x22ac50 | 0x988 | data | ||
RT_ICON | 0x22b5d8 | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x22ba40 | 0x76 | data | ||
RT_VERSION | 0x22bab8 | 0x2f4 | data | ||
RT_MANIFEST | 0x22bdac | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | |
Assembly Version | 1.0.0.0 |
InternalName | RevoveryUpdate.exe |
FileVersion | 1.0.0.0 |
CompanyName | |
LegalTrademarks | |
Comments | |
ProductName | |
ProductVersion | 1.0.0.0 |
FileDescription | |
OriginalFilename | RevoveryUpdate.exe |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 19, 2022 12:58:15.303103924 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.326575041 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.326698065 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.329128027 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.354022026 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.354089022 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.354129076 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.354168892 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.354183912 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.354211092 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.354229927 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.354254007 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.354293108 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.354310989 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.354334116 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.354374886 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.354391098 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.354414940 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.354470968 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.377119064 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377182961 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377223969 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377264023 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377302885 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377320051 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.377343893 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377357960 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.377384901 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377404928 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.377424955 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377465963 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377489090 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.377504110 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377545118 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377556086 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.377584934 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377624035 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377636909 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.377664089 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377702951 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377718925 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.377748013 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377789974 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377801895 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.377829075 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377870083 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377887011 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.377909899 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.377969027 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.400707960 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.400784016 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.400825977 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.400866032 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.400871992 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.400907040 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.400923967 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.400950909 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.400990963 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401009083 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401031971 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401072979 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401084900 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401112080 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401153088 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401192904 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401194096 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401237965 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401247025 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401281118 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401321888 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401331902 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401361942 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401402950 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401412010 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401443005 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401484013 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401494980 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401525021 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401566029 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401575089 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401607990 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401647091 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401658058 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401686907 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401726961 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401740074 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401770115 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401809931 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401829004 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401849985 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401891947 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401906013 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.401933908 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401972055 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.401987076 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.402013063 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.402054071 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.402067900 CEST | 49736 | 80 | 192.168.2.5 | 194.87.31.4 |
May 19, 2022 12:58:15.402096033 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
May 19, 2022 12:58:15.402137041 CEST | 80 | 49736 | 194.87.31.4 | 192.168.2.5 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.5 | 49736 | 194.87.31.4 | 80 | C:\Users\user\Desktop\P355uy6y7d.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 19, 2022 12:58:15.329128027 CEST | 212 | OUT | |
May 19, 2022 12:58:15.354022026 CEST | 213 | IN |