Edit tour
Windows
Analysis Report
4d44bed6.exe
Overview
General Information
| Sample Name: | 4d44bed6.exe |
| Analysis ID: | 712620 |
| MD5: | f7fad376e883d2bab82fbae91e5874f5 |
| SHA1: | 76440c8a557e7c1c032f7ccb69f6f133686e8fe4 |
| SHA256: | a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6 |
| Tags: | exeRansomware |
| Infos: |   |
 | |
Detection
Babuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected RedLine Stealer
Detected unpacking (overwrites its own PE header)
Yara detected DeriaLock Ransomware
Yara detected Babuk Ransomware
System process connects to network (likely due to code injection or exploit)
Sigma detected: Execute DLL with spoofed extension
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Cerber ransomware
Antivirus / Scanner detection for submitted sample
Yara detected Mimikatz
Multi AV Scanner detection for dropped file
Yara detected InfinityLock Ransomware
Creates multiple autostart registry keys
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (window names)
Found Tor onion address
Deletes keys related to Windows Defender
PE file has a writeable .text section
Deletes keys which are related to windows safe boot (disables safe mode boot)
Clears the journal log
Machine Learning detection for sample
Clears the windows event log
Writes many files with high entropy
Connects to many different private IPs (likely to spread or exploit)
Disables security and backup related services
Tries to detect virtualization through RDTSC time measurements
Disables the windows security center
Disables the Windows registry editor (regedit)
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Opens network shares
Disables Windows system restore
Changes security center settings (notifications, updates, antivirus, firewall)
Disables the Windows task manager (taskmgr)
PE file has nameless sections
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Modifies the windows firewall
Connects to many different private IPs via SMB (likely to spread or exploit)
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Deletes Internet Explorer cookies via registry
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Changes the start page of internet explorer
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Changes the window title of internet explorer
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses net.exe to stop services
PE file contains an invalid checksum
File is packed with WinRar
Detected TCP or UDP traffic on non-standard ports
Potential key logger detected (key state polling based)
Enables security privileges
Uses taskkill to terminate processes
Found evaded block containing many API calls
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)
Classification
- System is w10x64
4d44bed6.exe (PID: 5008 cmdline: "C:\Users\ user\Deskt op\4d44bed 6.exe" MD5: F7FAD376E883D2BAB82FBAE91E5874F5) - 4d44bed6.exe (PID: 3684 cmdline:
"C:\Users\ user\Deskt op\4d44bed 6.exe" MD5: F7FAD376E883D2BAB82FBAE91E5874F5) 
Endermanch@Antivirus.exe (PID: 4204 cmdline: "C:\Users\ user\Deskt op\Enderma nch@Antivi rus.exe" MD5: C7E9746B1B039B8BD1106BCA3038C38F) - net.exe (PID: 9360 cmdline:
net stop w scsvc MD5: DD0561156F62BC1958CE0E370B23711B) 
conhost.exe (PID: 9392 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - net1.exe (PID: 9504 cmdline:
C:\Windows \system32\ net1 stop wscsvc MD5: B5A26C2BF17222E86B91D26F1247AF3E) - net.exe (PID: 9376 cmdline:
net stop w inmgmt /y MD5: DD0561156F62BC1958CE0E370B23711B) - conhost.exe (PID: 9456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - net.exe (PID: 9416 cmdline:
net start winmgmt MD5: DD0561156F62BC1958CE0E370B23711B) - conhost.exe (PID: 9512 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - net.exe (PID: 9496 cmdline:
net start wscsvc MD5: DD0561156F62BC1958CE0E370B23711B) - conhost.exe (PID: 9568 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - mofcomp.exe (PID: 9548 cmdline:
mofcomp C: \Users\use r\AppData\ Local\Temp \4otjesjty .mof MD5: D8CE382C476699434A26272E8B7D5526) 
Endermanch@AntivirusPlatinum.exe (PID: 348 cmdline: "C:\Users\ user\Deskt op\Enderma nch@Antivi rusPlatinu m.exe" MD5: 382430DD7EAE8945921B7FEAB37ED36B) - 302746537.exe (PID: 5464 cmdline:
"C:\WINDOW S\30274653 7.exe" MD5: 8703FF2E53C6FD3BC91294EF9204BACA) - cmd.exe (PID: 4332 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\ECFB .tmp\30274 6537.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5588 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - regsvr32.exe (PID: 4920 cmdline:
regsvr32 / s c:\windo ws\comctl3 2.ocx MD5: 426E7499F6A7346F0410DEAD0805586B) - regsvr32.exe (PID: 4148 cmdline:
regsvr32 / s c:\windo ws\mscomct l.ocx MD5: 426E7499F6A7346F0410DEAD0805586B) - antivirus-platinum.exe (PID: 5248 cmdline:
c:\windows \antivirus -platinum. exe MD5: CD1800322CCFC425014A8394B01A4B3D) - attrib.exe (PID: 5280 cmdline:
attrib +h c:\windows \antivirus -platinum. exe MD5: A5540E9F87D4CB083BDF8269DEC1CFF9) 
Endermanch@AntivirusPro2017.exe (PID: 4652 cmdline: "C:\Users\ user\Deskt op\Enderma nch@Antivi rusPro2017 .exe" MD5: 7DFBFBA1E4E64A946CB096BFC937FBAD) - Endermanch@AnViPC2009.exe (PID: 240 cmdline:
"C:\Users\ user\Deskt op\Enderma nch@AnViPC 2009.exe" MD5: 910DD666C83EFD3496F21F9F211CDC1F) 
avpc2009.exe (PID: 5220 cmdline: "C:\Progra m Files (x 86)\antivi ruspc2009\ avpc2009.e xe" MD5: C18A7323332B3292A8E0F1C81DF65698) Endermanch@BadRabbit.exe (PID: 5844 cmdline:
"C:\Users\ user\Deskt op\Enderma nch@BadRab bit.exe" MD5: FBBDC39AF1139AEBBA4DA004475E8839) - conhost.exe (PID: 2056 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
rundll32.exe (PID: 4720 cmdline: C:\Windows \system32\ rundll32.e xe C:\Wind ows\infpub .dat,#1 15 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - cmd.exe (PID: 1884 cmdline:
/c schtask s /Delete /F /TN rha egal MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 2248 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 3968 cmdline:
schtasks / Delete /F /TN rhaega l MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 4760 cmdline:
/c schtask s /Create /RU SYSTEM /SC ONSTA RT /TN rha egal /TR " C:\Windows \system32\ cmd.exe /C Start \"\ " \"C:\Win dows\dispc i.exe\" -i d 26339662 92 && exit " MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 2816 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5904 cmdline:
schtasks / Create /RU SYSTEM /S C ONSTART /TN rhaega l /TR "C:\ Windows\sy stem32\cmd .exe /C St art \"\" \ "C:\Window s\dispci.e xe\" -id 2 633966292 && exit" MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 5612 cmdline:
/c schtask s /Create /SC once / TN drogon /RU SYSTEM /TR "C:\W indows\sys tem32\shut down.exe / r /t 0 /f" /ST 15:10 :00 MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5972 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 3484 cmdline:
schtasks / Create /SC once /TN drogon /RU SYSTEM /T R "C:\Wind ows\system 32\shutdow n.exe /r / t 0 /f" /S T 15:10:00 MD5: 15FF7D8324231381BAD48A052F85DF04) - 3F22.tmp (PID: 4108 cmdline:
"C:\Window s\3F22.tmp " \\.\pipe \{C1B24DF3 -0828-43A8 -B4E0-909C 189DD6EB} MD5: 347AC3B6B791054DE3E5720A7144A977) - conhost.exe (PID: 1380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6332 cmdline:
/c wevtuti l cl Setup & wevtuti l cl Syste m & wevtut il cl Secu rity & wev tutil cl A pplication & fsutil usn delete journal /D C: MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 8248 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - wevtutil.exe (PID: 9252 cmdline:
wevtutil c l Setup MD5: 27C3944EC1E3CAD62641ECBCEB107EE9) - wevtutil.exe (PID: 9540 cmdline:
wevtutil c l System MD5: 27C3944EC1E3CAD62641ECBCEB107EE9) - cmd.exe (PID: 9328 cmdline:
/c schtask s /Delete /F /TN dro gon MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 9368 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 9560 cmdline:
schtasks / Delete /F /TN drogon MD5: 15FF7D8324231381BAD48A052F85DF04) - Endermanch@Birele.exe (PID: 1496 cmdline:
"C:\Users\ user\Deskt op\Enderma nch@Birele .exe" MD5: 41789C704A0EECFDD0048B4B4193E752) - taskkill.exe (PID: 1424 cmdline:
taskkill / F /IM expl orer.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1) - conhost.exe (PID: 752 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
Endermanch@Cerber5.exe (PID: 4556 cmdline: "C:\Users\ user\Deskt op\Enderma nch@Cerber 5.exe" MD5: FE1BC60A95B2C2D77CD5D232296A7FA4) - netsh.exe (PID: 1320 cmdline:
C:\Windows \system32\ netsh.exe advfirewal l set allp rofiles st ate on MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 5836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - netsh.exe (PID: 5264 cmdline:
C:\Windows \system32\ netsh.exe advfirewal l reset MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - conhost.exe (PID: 6040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
Endermanch@DeriaLock.exe (PID: 3988 cmdline: "C:\Users\ user\Deskt op\Enderma nch@DeriaL ock.exe" MD5: 0A7B70EFBA0AA93D4BC0857B87AC2FCB) 
Endermanch@FakeAdwCleaner.exe (PID: 5252 cmdline: "C:\Users\ user\Deskt op\Enderma nch@FakeAd wCleaner.e xe" MD5: 248AADD395FFA7FFB1670392A9398454) - 6AdwCleaner.exe (PID: 6280 cmdline:
"C:\Users\ user\AppDa ta\Local\6 AdwCleaner .exe" MD5: 87E4959FEFEC297EBBF42DE79B5C88F6) 
Endermanch@HappyAntivirus.exe (PID: 5128 cmdline: "C:\Users\ user\Deskt op\Enderma nch@HappyA ntivirus.e xe" MD5: CB02C0438F3F4DDABCE36F8A26B0B961) 
Endermanch@InfinityCrypt.exe (PID: 6352 cmdline: "C:\Users\ user\Deskt op\Enderma nch@Infini tyCrypt.ex e" MD5: B805DB8F6A84475EF76B795B0D1ED6AE) 
Endermanch@InternetSecurityGuard.exe (PID: 9264 cmdline: "C:\Users\ user\Deskt op\Enderma nch@Intern etSecurity Guard.exe" MD5: 04155ED507699B4E37532E8371192C0B)
- cmd.exe (PID: 3136 cmdline:
C:\Windows \system32\ cmd.exe /C Start "" "C:\Window s\dispci.e xe" -id 26 33966292 & & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5916 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- svchost.exe (PID: 9384 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: 32569E403279B3FD2EDB7EBD036273FA) 
WerFault.exe (PID: 9468 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -pss -s 484 -p 46 52 -ip 465 2 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_TOOL_ENC_DiskCryptor | Detect DiskCryptor open encryption solution that offers encryption of all disk partitions | ditekSHen |
| |
| BadRabbit_Gen | Detects BadRabbit Ransomware | Florian Roth |
| |
| sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 | Bad Rabbit Ransomware | Christiaan Beek |
| |
| cerber3 | Cerber3 | pekeinfo |
| |
| JoeSecurity_infinitylock | Yara detected InfinityLock Ransomware | Joe Security | ||
| Click to see the 11 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_infinitylock | Yara detected InfinityLock Ransomware | Joe Security | ||
| cerber3 | Cerber3 | pekeinfo |
| |
| mimikatz | mimikatz | Benjamin DELPY (gentilkiwi) |
| |
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 | Bad Rabbit Ransomware | Christiaan Beek |
| |
| Click to see the 16 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| BadRabbit_Mimikatz_Comp | Auto-generated rule | Florian Roth |
| |
| mimikatz | mimikatz | Benjamin DELPY (gentilkiwi) |
| |
| JoeSecurity_Mimikatz_2 | Yara detected Mimikatz | Joe Security | ||
| BadRabbit_Gen | Detects BadRabbit Ransomware | Florian Roth |
| |
| Cerber | Cerber Payload | kevoreilly |
| |
| Click to see the 42 entries | ||||
Data Obfuscation |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp: | 192.168.2.593.107.12.05504068932023626 09/29/22-14:52:42.658471 |
| SID: | 2023626 |
| Source Port: | 55040 |
| Destination Port: | 6893 |
| Protocol: | UDP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.5185.53.177.5349804802809804 09/29/22-14:52:51.312026 |
| SID: | 2809804 |
| Source Port: | 49804 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Metadefender: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
Exploits | |
|---|
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | File opened: | ||
| Source: | Code function: | 5_2_00405C10 | |
| Source: | Code function: | 5_2_0040AE97 | |
| Source: | Code function: | 8_2_00405BD2 | |
| Source: | Code function: | 8_2_0040AE70 | |
Networking | |
|---|
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||