Edit tour
Windows
Analysis Report
1jDe7zWnoe.exe
Overview
General Information
| Sample Name: | 1jDe7zWnoe.exe |
| Analysis ID: | 712615 |
| MD5: | 3ce563e899291b59fa8c57c98cad9b4e |
| SHA1: | 7157cc9cf910735727b6601ad4d532cdd0fedc7e |
| SHA256: | 4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304 |
| Tags: | exeNabucurRansomware |
| Infos: |   |
 | |
Detection
Babuk, Cerber, DeriaLock, InfinityLock, Mimikatz, Petya, RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Detected unpacking (overwrites its own PE header)
Yara detected DeriaLock Ransomware
Found ransom note / readme
Yara detected Babuk Ransomware
System process connects to network (likely due to code injection or exploit)
Sigma detected: Execute DLL with spoofed extension
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected Petya ransomware
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Cerber ransomware
Antivirus / Scanner detection for submitted sample
Yara detected Mimikatz
Multi AV Scanner detection for dropped file
Yara detected InfinityLock Ransomware
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after checking mutex)
Uses netsh to modify the Windows network and firewall settings
Writes directly to the primary disk partition (DR0)
Contains functionality to register hotkeys which are used to close and control applications (CTRL-ALT-DEL, ALT-F4 etc)
Found Tor onion address
Deletes keys related to Windows Defender
PE file has a writeable .text section
Deletes keys which are related to windows safe boot (disables safe mode boot)
Tries to evade debugger and weak emulator (self modifying code)
Clears the journal log
Machine Learning detection for sample
Clears the windows event log
Performs an instant shutdown (NtRaiseHardError)
Writes many files with high entropy
Connects to many different private IPs (likely to spread or exploit)
Tries to detect virtualization through RDTSC time measurements
Disables the Windows registry editor (regedit)
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to create processes via WMI
Drops PE files with benign system names
Opens network shares
Disables Windows system restore
Contains functionality to enumerate network shares of other devices
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Office process tries to detect installed antivirus files
Disables the Windows task manager (taskmgr)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Infects the VBR (Volume Boot Record) of the hard disk
May use the Tor software to hide its network traffic
Modifies the windows firewall
Deletes shadow drive data (may be related to ransomware)
Connects to many different private IPs via SMB (likely to spread or exploit)
Infects the boot sector of the hard disk
Found evasive API chain (may stop execution after checking computer name)
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Creates a start menu entry (Start Menu\Programs\Startup)
Uses reg.exe to modify the Windows registry
Checks for available system drives (often done to infect USB drives)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Changes the start page of internet explorer
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
PE file contains sections with non-standard names
Hides icons from the desktop
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Changes the window title of internet explorer
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Enables security privileges
Uses taskkill to terminate processes
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information
Classification
- System is w10x64
1jDe7zWnoe.exe (PID: 5912 cmdline: "C:\Users\ user\Deskt op\1jDe7zW noe.exe" MD5: 3CE563E899291B59FA8C57C98CAD9B4E) Endermanch@BadRabbit.exe (PID: 4884 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\vizhwb nh.yaz\End ermanch@Ba dRabbit.ex e" MD5: FBBDC39AF1139AEBBA4DA004475E8839) 
conhost.exe (PID: 3924 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
rundll32.exe (PID: 5496 cmdline: C:\Windows \system32\ rundll32.e xe C:\Wind ows\infpub .dat,#1 15 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - cmd.exe (PID: 1536 cmdline:
/c schtask s /Delete /F /TN rha egal MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5632 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 4952 cmdline:
schtasks / Delete /F /TN rhaega l MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 2792 cmdline:
/c schtask s /Create /RU SYSTEM /SC ONSTA RT /TN rha egal /TR " C:\Windows \system32\ cmd.exe /C Start \"\ " \"C:\Win dows\dispc i.exe\" -i d 21126569 73 && exit " MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5524 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5716 cmdline:
schtasks / Create /RU SYSTEM /S C ONSTART /TN rhaega l /TR "C:\ Windows\sy stem32\cmd .exe /C St art \"\" \ "C:\Window s\dispci.e xe\" -id 2 112656973 && exit" MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 5300 cmdline:
/c schtask s /Create /SC once / TN drogon /RU SYSTEM /TR "C:\W indows\sys tem32\shut down.exe / r /t 0 /f" /ST 15:06 :00 MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 1280 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 6132 cmdline:
schtasks / Create /SC once /TN drogon /RU SYSTEM /T R "C:\Wind ows\system 32\shutdow n.exe /r / t 0 /f" /S T 15:06:00 MD5: 15FF7D8324231381BAD48A052F85DF04) - EF39.tmp (PID: 1276 cmdline:
"C:\Window s\EF39.tmp " \\.\pipe \{96A4BC70 -5646-4F34 -828D-297F 35E216CA} MD5: 347AC3B6B791054DE3E5720A7144A977) - conhost.exe (PID: 5200 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 7368 cmdline:
/c wevtuti l cl Setup & wevtuti l cl Syste m & wevtut il cl Secu rity & wev tutil cl A pplication & fsutil usn delete journal /D C: MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 8340 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - wevtutil.exe (PID: 9328 cmdline:
wevtutil c l Setup MD5: 27C3944EC1E3CAD62641ECBCEB107EE9) - wevtutil.exe (PID: 9432 cmdline:
wevtutil c l System MD5: 27C3944EC1E3CAD62641ECBCEB107EE9) - wevtutil.exe (PID: 6372 cmdline:
wevtutil c l Security MD5: 27C3944EC1E3CAD62641ECBCEB107EE9) - wevtutil.exe (PID: 13024 cmdline:
wevtutil c l Applicat ion MD5: 27C3944EC1E3CAD62641ECBCEB107EE9) - fsutil.exe (PID: 13096 cmdline:
fsutil usn deletejou rnal /D C: MD5: 140A43A2237D7D7497D4E0568B518B71) - cmd.exe (PID: 9376 cmdline:
/c schtask s /Delete /F /TN dro gon MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 9416 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 10284 cmdline:
schtasks / Delete /F /TN drogon MD5: 15FF7D8324231381BAD48A052F85DF04) - Endermanch@Birele.exe (PID: 4924 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\rje43e tl.wlj\End ermanch@Bi rele.exe" MD5: 41789C704A0EECFDD0048B4B4193E752) - taskkill.exe (PID: 5440 cmdline:
taskkill / F /IM expl orer.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1) - conhost.exe (PID: 5560 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
Endermanch@Cerber5.exe (PID: 5460 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\5hado0 b0.phn\End ermanch@Ce rber5.exe" MD5: FE1BC60A95B2C2D77CD5D232296A7FA4) - netsh.exe (PID: 3216 cmdline:
C:\Windows \system32\ netsh.exe advfirewal l set allp rofiles st ate on MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 3208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - netsh.exe (PID: 5688 cmdline:
C:\Windows \system32\ netsh.exe advfirewal l reset MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 5316 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 13128 cmdline:
"C:\Window s\system32 \cmd.exe" /d /c task kill /f /i m "E" > NU L & ping - n 1 127.0. 0.1 > NUL & del "C" > NUL && e xit MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 13144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - taskkill.exe (PID: 13176 cmdline:
taskkill / f /im "E" MD5: 15E2E0ACD891510C6268CB8899F2A1A1) - PING.EXE (PID: 13212 cmdline:
ping -n 1 127.0.0.1 MD5: 70C24A306F768936563ABDADB9CA9108) 
Endermanch@DeriaLock.exe (PID: 4632 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\gpgn0u 0y.kpm\End ermanch@De riaLock.ex e" MD5: 0A7B70EFBA0AA93D4BC0857B87AC2FCB) - Fantom.exe (PID: 5520 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\0bcmbq tt.m3v\Fan tom.exe" MD5: 7D80230DF68CCBA871815D68F016C282) 
Endermanch@InfinityCrypt.exe (PID: 5312 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\0thmgn hb.zbf\End ermanch@In finityCryp t.exe" MD5: B805DB8F6A84475EF76B795B0D1ED6AE) 
Endermanch@Krotten.exe (PID: 7328 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\yz5ggc hg.xck\End ermanch@Kr otten.exe" MD5: 87CCD6F4EC0E6B706D65550F90B0E3C7) 
Endermanch@NoMoreRansom.exe (PID: 8332 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\101awt pm.1qs\End ermanch@No MoreRansom .exe" MD5: 63210F8F1DDE6C40A7F3643CCF0FF313) 
Endermanch@Petya.A.exe (PID: 11252 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\yngyag 0a.2kg\End ermanch@Pe tya.A.exe" MD5: AF2379CC4D607A45AC44D62135FB7015) 
Endermanch@PolyRansom.exe (PID: 13136 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\ddft42 qg.xs4\End ermanch@Po lyRansom.e xe" MD5: 3ED3FB296A477156BC51ABA43D825FC0) - dekAkckQ.exe (PID: 13264 cmdline:
C:\Users\u ser\fakAAc AY\dekAkck Q.exe MD5: 327F75561227DE039329A625537B56A2) - LOAcQQUU.exe (PID: 4488 cmdline:
C:\Program Data\vsMwM YIk\LOAcQQ UU.exe MD5: 0D6D628F4EAEA4532B8F79E83D4CF413) - cmd.exe (PID: 1944 cmdline:
C:\Windows \system32\ cmd.exe /c "C:\Users \user\AppD ata\Local\ Temp\ddft4 2qg.xs4\En dermanch@P olyRansom" MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5100 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - Endermanch@PolyRansom.exe (PID: 1324 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\ddft42q g.xs4\Ende rmanch@Pol yRansom MD5: 3ED3FB296A477156BC51ABA43D825FC0) - reg.exe (PID: 2680 cmdline:
reg add HK CU\Softwar e\Microsof t\Windows\ CurrentVer sion\Explo rer\Advanc ed /f /v H ideFileExt /t REG_DW ORD /d 1 MD5: CEE2A7E57DF2A159A065A34913A055C2) 
Endermanch@WinlockerVB6Blacksod.exe (PID: 13256 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\zfaio0 hk.qy4\End ermanch@Wi nlockerVB6 Blacksod.e xe" MD5: DBFBF254CFB84D991AC3860105D66FC6)
- svchost.exe (PID: 6016 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6040 cmdline:
c:\windows \system32\ svchost.ex e -k unist acksvcgrou p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6092 cmdline:
c:\windows \system32\ svchost.ex e -k local service -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 3092 cmdline:
c:\windows \system32\ svchost.ex e -k netwo rkservice -p -s DoSv c MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 3928 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- SgrmBroker.exe (PID: 5168 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
- svchost.exe (PID: 3592 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5280 cmdline:
c:\windows \system32\ svchost.ex e -k local servicenet workrestri cted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cmd.exe (PID: 5800 cmdline:
C:\Windows \system32\ cmd.exe /C Start "" "C:\Window s\dispci.e xe" -id 21 12656973 & & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 1244 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - dispci.exe (PID: 7312 cmdline:
"C:\Window s\dispci.e xe" -id 21 12656973 MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F) - conhost.exe (PID: 9424 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 13248 cmdline:
/c schtask s /Delete /F /TN rha egal MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 680 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 4556 cmdline:
schtasks / Delete /F /TN rhaega l MD5: 15FF7D8324231381BAD48A052F85DF04)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| cerber3 | Cerber3 | pekeinfo |
| |
| JoeSecurity_infinitylock | Yara detected InfinityLock Ransomware | Joe Security | ||
| MALWARE_Win_InfinityLock | Detects InfinityLock ransomware | ditekSHen |
| |
| BadRabbit_Gen | Detects BadRabbit Ransomware | Florian Roth |
| |
| sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 | Bad Rabbit Ransomware | Christiaan Beek |
| |
| Click to see the 10 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Ransom_Petya | Regla para detectar Ransom.Petya con md5 AF2379CC4D607A45AC44D62135FB7015 | CCN-CERT |
| |
| JoeSecurity_infinitylock | Yara detected InfinityLock Ransomware | Joe Security | ||
| cerber3 | Cerber3 | pekeinfo |
| |
| sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 | Bad Rabbit Ransomware | Christiaan Beek |
| |
| mimikatz | mimikatz | Benjamin DELPY (gentilkiwi) |
| |
| Click to see the 27 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| cerber3 | Cerber3 | pekeinfo |
| |
| INDICATOR_TOOL_ENC_DiskCryptor | Detect DiskCryptor open encryption solution that offers encryption of all disk partitions | ditekSHen |
| |
| BadRabbit_Mimikatz_Comp | Auto-generated rule | Florian Roth |
| |
| mimikatz | mimikatz | Benjamin DELPY (gentilkiwi) |
| |
| JoeSecurity_Mimikatz_2 | Yara detected Mimikatz | Joe Security | ||
| Click to see the 65 entries | ||||
Data Obfuscation |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp: | 192.168.2.354.242.4.10149772802849813 09/29/22-14:50:03.652241 |
| SID: | 2849813 |
| Source Port: | 49772 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.354.242.4.10149772802849814 09/29/22-14:50:03.652241 |
| SID: | 2849814 |
| Source Port: | 49772 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.393.107.12.06552368932023619 09/29/22-14:48:40.474898 |
| SID: | 2023619 |
| Source Port: | 65523 |
| Destination Port: | 6893 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3185.53.177.5349787802809804 09/29/22-14:50:12.037893 |
| SID: | 2809804 |
| Source Port: | 49787 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Code function: | 12_2_04775A73 | |
| Source: | Code function: | 12_2_04775613 | |
| Source: | Code function: | 12_2_04776299 | |
| Source: | Code function: | 12_2_04776085 | |
| Source: | Code function: | 12_2_0477554A | |
| Source: | Code function: | 12_2_04775507 | |
| Source: | Code function: | 12_2_04775D0A | |
| Source: | Code function: | 12_2_04775BC4 | |
| Source: | Code function: | 12_2_047715A7 | |
| Source: | Code function: | 12_2_04776246 | |
| Source: | Code function: | 12_2_047756D8 | |
| Source: | Code function: | 12_2_0477559B | |
| Source: | Code function: | 12_2_04775780 | |
| Source: | Binary or memory string: | ||
Exploits | |
|---|
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | TCP traffic: | Jump to behavior | ||
| Source: | TCP traffic: | Jump to behavior | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Spreading | |
|---|
| Source: | Code function: | 12_2_04779534 | |
| Source: | Code function: | 12_2_04779B63 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | |||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 11_2_004048F8 | |
| Source: | Code function: | 12_2_04775E9F | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||