Edit tour
Windows
Analysis Report
bpkAAJptGv.exe
Overview
General Information
| Sample Name: | bpkAAJptGv.exe |
| Analysis ID: | 712613 |
| MD5: | d197fad90535fb974db139537a091a5b |
| SHA1: | 5529175952d3fa0697124260e46ec1dbd0c63ae7 |
| SHA256: | a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6 |
| Tags: | exeRansomware |
| Infos: |   |
 | |
Detection
Babuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Yara detected DeriaLock Ransomware
Yara detected Babuk Ransomware
System process connects to network (likely due to code injection or exploit)
Sigma detected: Execute DLL with spoofed extension
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Cerber ransomware
Antivirus / Scanner detection for submitted sample
Yara detected Mimikatz
Multi AV Scanner detection for dropped file
Yara detected InfinityLock Ransomware
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Found Tor onion address
Deletes keys related to Windows Defender
PE file has a writeable .text section
Deletes keys which are related to windows safe boot (disables safe mode boot)
Machine Learning detection for sample
Writes many files with high entropy
Connects to many different private IPs (likely to spread or exploit)
Disables security and backup related services
Tries to detect virtualization through RDTSC time measurements
Disables the windows security center
Disables the Windows registry editor (regedit)
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to create processes via WMI
Opens network shares
Disables Windows system restore
Contains functionality to enumerate network shares of other devices
Changes security center settings (notifications, updates, antivirus, firewall)
Disables the Windows task manager (taskmgr)
PE file has nameless sections
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Modifies the windows firewall
Connects to many different private IPs via SMB (likely to spread or exploit)
Found evasive API chain (may stop execution after checking computer name)
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Checks for available system drives (often done to infect USB drives)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Changes the start page of internet explorer
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Changes the window title of internet explorer
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses net.exe to stop services
PE file contains an invalid checksum
File is packed with WinRar
Detected TCP or UDP traffic on non-standard ports
Potential key logger detected (key state polling based)
Uses taskkill to terminate processes
Found evaded block containing many API calls
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information
Classification
- System is w10x64
bpkAAJptGv.exe (PID: 5512 cmdline: "C:\Users\ user\Deskt op\bpkAAJp tGv.exe" MD5: D197FAD90535FB974DB139537A091A5B) - bpkAAJptGv.exe (PID: 1324 cmdline:
"C:\Users\ user\Deskt op\bpkAAJp tGv.exe" MD5: D197FAD90535FB974DB139537A091A5B) 
Endermanch@Antivirus.exe (PID: 1332 cmdline: "C:\Users\ user\Deskt op\Enderma nch@Antivi rus.exe" MD5: C7E9746B1B039B8BD1106BCA3038C38F) - net.exe (PID: 3796 cmdline:
net stop w scsvc MD5: DD0561156F62BC1958CE0E370B23711B) 
conhost.exe (PID: 7472 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - net.exe (PID: 7012 cmdline:
net stop w inmgmt /y MD5: DD0561156F62BC1958CE0E370B23711B) - conhost.exe (PID: 7464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - net.exe (PID: 7032 cmdline:
net start winmgmt MD5: DD0561156F62BC1958CE0E370B23711B) - conhost.exe (PID: 7576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - net.exe (PID: 7456 cmdline:
net start wscsvc MD5: DD0561156F62BC1958CE0E370B23711B) 
Endermanch@AntivirusPlatinum.exe (PID: 272 cmdline: "C:\Users\ user\Deskt op\Enderma nch@Antivi rusPlatinu m.exe" MD5: 382430DD7EAE8945921B7FEAB37ED36B) - 302746537.exe (PID: 3820 cmdline:
"C:\WINDOW S\30274653 7.exe" MD5: 8703FF2E53C6FD3BC91294EF9204BACA) - cmd.exe (PID: 5308 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\341C .tmp\30274 6537.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4880 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - regsvr32.exe (PID: 5136 cmdline:
regsvr32 / s c:\windo ws\comctl3 2.ocx MD5: 426E7499F6A7346F0410DEAD0805586B) - regsvr32.exe (PID: 1104 cmdline:
regsvr32 / s c:\windo ws\mscomct l.ocx MD5: 426E7499F6A7346F0410DEAD0805586B) - antivirus-platinum.exe (PID: 792 cmdline:
c:\windows \antivirus -platinum. exe MD5: CD1800322CCFC425014A8394B01A4B3D) - attrib.exe (PID: 7020 cmdline:
attrib +h c:\windows \antivirus -platinum. exe MD5: A5540E9F87D4CB083BDF8269DEC1CFF9) 
Endermanch@AntivirusPro2017.exe (PID: 1632 cmdline: "C:\Users\ user\Deskt op\Enderma nch@Antivi rusPro2017 .exe" MD5: 7DFBFBA1E4E64A946CB096BFC937FBAD) - Endermanch@AnViPC2009.exe (PID: 2296 cmdline:
"C:\Users\ user\Deskt op\Enderma nch@AnViPC 2009.exe" MD5: 910DD666C83EFD3496F21F9F211CDC1F) 
avpc2009.exe (PID: 1588 cmdline: "C:\Progra m Files (x 86)\antivi ruspc2009\ avpc2009.e xe" MD5: C18A7323332B3292A8E0F1C81DF65698) Endermanch@BadRabbit.exe (PID: 5224 cmdline:
"C:\Users\ user\Deskt op\Enderma nch@BadRab bit.exe" MD5: FBBDC39AF1139AEBBA4DA004475E8839) - conhost.exe (PID: 2968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
rundll32.exe (PID: 4900 cmdline: C:\Windows \system32\ rundll32.e xe C:\Wind ows\infpub .dat,#1 15 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - cmd.exe (PID: 4944 cmdline:
/c schtask s /Delete /F /TN rha egal MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3344 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 1804 cmdline:
schtasks / Delete /F /TN rhaega l MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 5620 cmdline:
/c schtask s /Create /RU SYSTEM /SC ONSTA RT /TN rha egal /TR " C:\Windows \system32\ cmd.exe /C Start \"\ " \"C:\Win dows\dispc i.exe\" -i d 13827226 61 && exit " MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 2020 cmdline:
schtasks / Create /RU SYSTEM /S C ONSTART /TN rhaega l /TR "C:\ Windows\sy stem32\cmd .exe /C St art \"\" \ "C:\Window s\dispci.e xe\" -id 1 382722661 && exit" MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 2040 cmdline:
/c schtask s /Create /SC once / TN drogon /RU SYSTEM /TR "C:\W indows\sys tem32\shut down.exe / r /t 0 /f" /ST 15:04 :00 MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 1964 cmdline:
schtasks / Create /SC once /TN drogon /RU SYSTEM /T R "C:\Wind ows\system 32\shutdow n.exe /r / t 0 /f" /S T 15:04:00 MD5: 15FF7D8324231381BAD48A052F85DF04) - 870F.tmp (PID: 1852 cmdline:
"C:\Window s\870F.tmp " \\.\pipe \{60F226A4 -8E49-484F -BBA1-D3EC C97C63B9} MD5: 347AC3B6B791054DE3E5720A7144A977) - conhost.exe (PID: 2524 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - Endermanch@Birele.exe (PID: 4156 cmdline:
"C:\Users\ user\Deskt op\Enderma nch@Birele .exe" MD5: 41789C704A0EECFDD0048B4B4193E752) - taskkill.exe (PID: 2368 cmdline:
taskkill / F /IM expl orer.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1) - conhost.exe (PID: 60 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
Endermanch@Cerber5.exe (PID: 480 cmdline: "C:\Users\ user\Deskt op\Enderma nch@Cerber 5.exe" MD5: FE1BC60A95B2C2D77CD5D232296A7FA4) - netsh.exe (PID: 3364 cmdline:
C:\Windows \system32\ netsh.exe advfirewal l set allp rofiles st ate on MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 1844 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - netsh.exe (PID: 3176 cmdline:
C:\Windows \system32\ netsh.exe advfirewal l reset MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 5028 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
Endermanch@DeriaLock.exe (PID: 4008 cmdline: "C:\Users\ user\Deskt op\Enderma nch@DeriaL ock.exe" MD5: 0A7B70EFBA0AA93D4BC0857B87AC2FCB) 
Endermanch@FakeAdwCleaner.exe (PID: 5644 cmdline: "C:\Users\ user\Deskt op\Enderma nch@FakeAd wCleaner.e xe" MD5: 248AADD395FFA7FFB1670392A9398454) - 6AdwCleaner.exe (PID: 6148 cmdline:
"C:\Users\ user\AppDa ta\Local\6 AdwCleaner .exe" MD5: 87E4959FEFEC297EBBF42DE79B5C88F6) 
Endermanch@HappyAntivirus.exe (PID: 3108 cmdline: "C:\Users\ user\Deskt op\Enderma nch@HappyA ntivirus.e xe" MD5: CB02C0438F3F4DDABCE36F8A26B0B961) 
Endermanch@InfinityCrypt.exe (PID: 7424 cmdline: "C:\Users\ user\Deskt op\Enderma nch@Infini tyCrypt.ex e" MD5: B805DB8F6A84475EF76B795B0D1ED6AE)
- svchost.exe (PID: 1316 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 4456 cmdline:
c:\windows \system32\ svchost.ex e -k unist acksvcgrou p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6048 cmdline:
c:\windows \system32\ svchost.ex e -k local service -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6116 cmdline:
c:\windows \system32\ svchost.ex e -k netwo rkservice -p -s DoSv c MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6084 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- SgrmBroker.exe (PID: 5232 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
- svchost.exe (PID: 5204 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5372 cmdline:
c:\windows \system32\ svchost.ex e -k local servicenet workrestri cted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA) 
MpCmdRun.exe (PID: 5696 cmdline: "C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: A267555174BFA53844371226F482B86B) - conhost.exe (PID: 5756 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- svchost.exe (PID: 5408 cmdline:
c:\windows \system32\ svchost.ex e -k wusvc s -p -s Wa aSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cmd.exe (PID: 4368 cmdline:
C:\Windows \system32\ cmd.exe /C Start "" "C:\Window s\dispci.e xe" -id 13 82722661 & & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 3216 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_infinitylock | Yara detected InfinityLock Ransomware | Joe Security | ||
| MALWARE_Win_InfinityLock | Detects InfinityLock ransomware | ditekSHen |
| |
| cerber3 | Cerber3 | pekeinfo |
| |
| BadRabbit_Gen | Detects BadRabbit Ransomware | Florian Roth |
| |
| sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 | Bad Rabbit Ransomware | Christiaan Beek |
| |
| Click to see the 11 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_infinitylock | Yara detected InfinityLock Ransomware | Joe Security | ||
| mimikatz | mimikatz | Benjamin DELPY (gentilkiwi) |
| |
| JoeSecurity_infinitylock | Yara detected InfinityLock Ransomware | Joe Security | ||
| cerber3 | Cerber3 | pekeinfo |
| |
| JoeSecurity_DeriaLock | Yara detected DeriaLock Ransomware | Joe Security | ||
| Click to see the 12 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| BadRabbit_Gen | Detects BadRabbit Ransomware | Florian Roth |
| |
| BadRabbit_Gen | Detects BadRabbit Ransomware | Florian Roth |
| |
| INDICATOR_TOOL_ENC_DiskCryptor | Detect DiskCryptor open encryption solution that offers encryption of all disk partitions | ditekSHen |
| |
| BadRabbit_Gen | Detects BadRabbit Ransomware | Florian Roth |
| |
| BadRabbit_Mimikatz_Comp | Auto-generated rule | Florian Roth |
| |
| Click to see the 40 entries | ||||
Data Obfuscation |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp: | 192.168.2.693.107.12.06323068932023614 09/29/22-14:46:14.805892 |
| SID: | 2023614 |
| Source Port: | 63230 |
| Destination Port: | 6893 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.6185.53.177.5349811802809804 09/29/22-14:46:27.973801 |
| SID: | 2809804 |
| Source Port: | 49811 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Code function: | 20_2_04E26085 | |
| Source: | Code function: | 20_2_04E26299 | |
| Source: | Code function: | 20_2_04E25A73 | |
| Source: | Code function: | 20_2_04E25613 | |
| Source: | Code function: | 20_2_04E25BC4 | |
| Source: | Code function: | 20_2_04E215A7 | |
| Source: | Code function: | 20_2_04E2554A | |
| Source: | Code function: | 20_2_04E25507 | |
| Source: | Code function: | 20_2_04E25D0A | |
| Source: | Code function: | 20_2_04E256D8 | |
| Source: | Code function: | 20_2_04E26246 | |
| Source: | Code function: | 20_2_04E25780 | |
| Source: | Code function: | 20_2_04E2559B | |
Exploits | |
|---|
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Spreading | |
|---|
| Source: | Code function: | 20_2_04E29534 | |
| Source: | Code function: | 20_2_04E29B63 | |
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | Code function: | 12_2_00405C10 | |
| Source: | Code function: | 12_2_0040AE97 | |
| Source: | Code function: | 20_2_04E25E9F | |
Networking | |
|---|
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||