Windows
Analysis Report
z1quote93039-pdf.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- z1quote93039-pdf.exe (PID: 6512 cmdline:
"C:\Users\ user\Deskt op\z1quote 93039-pdf. exe" MD5: 1B772B5B66B9ADC3B67EAE3627E75059) - RegSvcs.exe (PID: 3276 cmdline:
"C:\Users\ user\Deskt op\z1quote 93039-pdf. exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.zqamcx.com", "Username": "kingship@zqamcx.com", "Password": "Methodman991"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
|
System Summary |
---|
Source: | Author: frack113: |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: |
Source: | Code function: | 2_2_02B54A88 | |
Source: | Code function: | 2_2_02B59B18 | |
Source: | Code function: | 2_2_02B53E70 | |
Source: | Code function: | 2_2_02B5CE68 | |
Source: | Code function: | 2_2_02B541B8 | |
Source: | Code function: | 2_2_060F3F30 | |
Source: | Code function: | 2_2_060F5750 | |
Source: | Code function: | 2_2_060F8C08 | |
Source: | Code function: | 2_2_060FDD73 | |
Source: | Code function: | 2_2_060F2B08 | |
Source: | Code function: | 2_2_060F9B68 | |
Source: | Code function: | 2_2_060F0040 | |
Source: | Code function: | 2_2_060FBD88 | |
Source: | Code function: | 2_2_060F321F | |
Source: | Code function: | 2_2_060F5058 | |
Source: | Code function: | 2_2_060F49D8 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static file information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | API/Special instruction interceptor: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | WMI Queries: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Section loaded: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 212 Process Injection | 1 Disable or Modify Tools | 2 OS Credential Dumping | 211 Security Software Discovery | Remote Services | 1 Email Collection | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 121 Virtualization/Sandbox Evasion | 1 Credentials in Registry | 1 Process Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 212 Process Injection | Security Account Manager | 121 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 2 Data from Local System | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 124 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
29% | Virustotal | Browse | ||
47% | ReversingLabs | Win32.Trojan.Autoitinject | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
9% | Virustotal | Browse | ||
9% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
zqamcx.com | 78.110.166.82 | true | true |
| unknown |
mail.zqamcx.com | unknown | unknown | true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
true |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
78.110.166.82 | zqamcx.com | United Kingdom | 42831 | UKSERVERS-ASUKDedicatedServersHostingandCo-Location | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1522584 |
Start date and time: | 2024-09-30 11:59:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | z1quote93039-pdf.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@3/1@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
06:00:02 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
78.110.166.82 | Get hash | malicious | CobaltStrike | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
zqamcx.com | Get hash | malicious | AgentTesla | Browse |
| |
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
UKSERVERS-ASUKDedicatedServersHostingandCo-Location | Get hash | malicious | AgentTesla | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Remcos | Browse |
|
Process: | C:\Users\user\Desktop\z1quote93039-pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 240128 |
Entropy (8bit): | 6.540118408936613 |
Encrypted: | false |
SSDEEP: | 6144:dqnGi1vMoTut2AiEvj4yMV0N4yCFbfI86NhkzED:GGmutkEr4yC0etWSED |
MD5: | 62E06E1942E981147CA2DFFF8453F6B1 |
SHA1: | E3E8477053643D1A84432E260077AD409D02F8F6 |
SHA-256: | A99FF7071866ECAE165C8BE926E92F75CC6B40EFE3C97AD184750CB426809F3F |
SHA-512: | 1435F0FDFAC293C30DFC194F1A4C9FE243482CEAA47D563C04D44E1230DEA48E4313527DA6D957A6E124D5EBF6B52C082BFFE3B6D23E0B50016432BD790014DC |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.428196616763776 |
TrID: |
|
File name: | z1quote93039-pdf.exe |
File size: | 1'200'301 bytes |
MD5: | 1b772b5b66b9adc3b67eae3627e75059 |
SHA1: | 87cc3b9ceef68d8640aca684e42e15e0b3b4ed13 |
SHA256: | 17ea3ecae5fa2fbe640e5bfdf146dae281256aad17813aa6a30f6c5045845670 |
SHA512: | cd652cb7f23a7b15478d1a051f76ed2a056f52367f31debdf61b5c66ff979807fd8049363e25d55a2c7fb4c5f10691885111356093261be11e44da622a462208 |
SSDEEP: | 24576:ffmMv6Ckr7Mny5QLRnYm9fuv1gDri+F4ZWXD:f3v+7/5QLSPyriR8D |
TLSH: | CB45E112F3D680B6D9A33971297BE36AEB3575194327C48BA7E02F778F211009B36761 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi.......... |
Icon Hash: | 1733312925935517 |
Entrypoint: | 0x416310 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | aaaa8913c89c8aa4a5d93f06853894da |
Instruction |
---|
call 00007FEEF8E00FDCh |
jmp 00007FEEF8DF4DAEh |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebp |
mov ebp, esp |
push edi |
push esi |
mov esi, dword ptr [ebp+0Ch] |
mov ecx, dword ptr [ebp+10h] |
mov edi, dword ptr [ebp+08h] |
mov eax, ecx |
mov edx, ecx |
add eax, esi |
cmp edi, esi |
jbe 00007FEEF8DF4F3Ah |
cmp edi, eax |
jc 00007FEEF8DF50DAh |
cmp ecx, 00000100h |
jc 00007FEEF8DF4F51h |
cmp dword ptr [004A94E0h], 00000000h |
je 00007FEEF8DF4F48h |
push edi |
push esi |
and edi, 0Fh |
and esi, 0Fh |
cmp edi, esi |
pop esi |
pop edi |
jne 00007FEEF8DF4F3Ah |
pop esi |
pop edi |
pop ebp |
jmp 00007FEEF8DF539Ah |
test edi, 00000003h |
jne 00007FEEF8DF4F47h |
shr ecx, 02h |
and edx, 03h |
cmp ecx, 08h |
jc 00007FEEF8DF4F5Ch |
rep movsd |
jmp dword ptr [00416494h+edx*4] |
nop |
mov eax, edi |
mov edx, 00000003h |
sub ecx, 04h |
jc 00007FEEF8DF4F3Eh |
and eax, 03h |
add ecx, eax |
jmp dword ptr [004163A8h+eax*4] |
jmp dword ptr [004164A4h+ecx*4] |
nop |
jmp dword ptr [00416428h+ecx*4] |
nop |
mov eax, E4004163h |
arpl word ptr [ecx+00h], ax |
or byte ptr [ecx+eax*2+00h], ah |
and edx, ecx |
mov al, byte ptr [esi] |
mov byte ptr [edi], al |
mov al, byte ptr [esi+01h] |
mov byte ptr [edi+01h], al |
mov al, byte ptr [esi+02h] |
shr ecx, 02h |
mov byte ptr [edi+02h], al |
add esi, 03h |
add edi, 03h |
cmp ecx, 08h |
jc 00007FEEF8DF4EFEh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8cd3c | 0x154 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xab000 | 0x9298 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x82000 | 0x840 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x80017 | 0x80200 | 6c20c6bf686768b6f134f5bd508171bc | False | 0.5602991615853659 | data | 6.634688230255595 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x82000 | 0xd95c | 0xda00 | f979966509a93083729d23cdfd2a6f2d | False | 0.36256450688073394 | data | 4.880040824124099 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x90000 | 0x1a518 | 0x6800 | e5d77411f751d28c6eee48a743606795 | False | 0.1600060096153846 | data | 2.2017649896261107 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xab000 | 0x9298 | 0x9400 | f6be76de0ef2c68f397158bf01bdef3e | False | 0.4896801097972973 | data | 5.530303089784181 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xab5c8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
RT_ICON | 0xab6f0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
RT_ICON | 0xab818 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
RT_ICON | 0xab940 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | Great Britain | 0.48109756097560974 |
RT_ICON | 0xabfa8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | Great Britain | 0.5672043010752689 |
RT_ICON | 0xac290 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | Great Britain | 0.6418918918918919 |
RT_ICON | 0xac3b8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | Great Britain | 0.7044243070362474 |
RT_ICON | 0xad260 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | Great Britain | 0.8077617328519856 |
RT_ICON | 0xadb08 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | Great Britain | 0.5903179190751445 |
RT_ICON | 0xae070 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | Great Britain | 0.5503112033195021 |
RT_ICON | 0xb0618 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | Great Britain | 0.6050656660412758 |
RT_ICON | 0xb16c0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | Great Britain | 0.7553191489361702 |
RT_MENU | 0xb1b28 | 0x50 | data | English | Great Britain | 0.9 |
RT_DIALOG | 0xb1b78 | 0xfc | data | English | Great Britain | 0.6507936507936508 |
RT_STRING | 0xb1c78 | 0x530 | data | English | Great Britain | 0.33960843373493976 |
RT_STRING | 0xb21a8 | 0x690 | data | English | Great Britain | 0.26964285714285713 |
RT_STRING | 0xb2838 | 0x43a | data | English | Great Britain | 0.3733826247689464 |
RT_STRING | 0xb2c78 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
RT_STRING | 0xb3278 | 0x65c | data | English | Great Britain | 0.34336609336609336 |
RT_STRING | 0xb38d8 | 0x388 | data | English | Great Britain | 0.377212389380531 |
RT_STRING | 0xb3c60 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | United States | 0.502906976744186 |
RT_GROUP_ICON | 0xb3db8 | 0x84 | data | English | Great Britain | 0.6439393939393939 |
RT_GROUP_ICON | 0xb3e40 | 0x14 | data | English | Great Britain | 1.15 |
RT_GROUP_ICON | 0xb3e58 | 0x14 | data | English | Great Britain | 1.25 |
RT_GROUP_ICON | 0xb3e70 | 0x14 | data | English | Great Britain | 1.25 |
RT_VERSION | 0xb3e88 | 0x19c | data | English | Great Britain | 0.5339805825242718 |
RT_MANIFEST | 0xb4028 | 0x26c | ASCII text, with CRLF line terminators | English | United States | 0.5145161290322581 |
DLL | Import |
---|---|
WSOCK32.dll | __WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv |
VERSION.dll | VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW |
WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
COMCTL32.dll | ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy |
MPR.dll | WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW |
WININET.dll | InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable |
PSAPI.DLL | EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules |
USERENV.dll | CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW |
KERNEL32.dll | HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA |
USER32.dll | SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW |
GDI32.dll | DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx |
COMDLG32.dll | GetSaveFileNameW, GetOpenFileNameW |
ADVAPI32.dll | RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl |
SHELL32.dll | DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
ole32.dll | OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize |
OLEAUT32.dll | SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | Great Britain | |
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 30, 2024 12:00:04.334403992 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:04.339457035 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:04.339524984 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:04.896373987 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:04.896959066 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:04.901901960 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.062889099 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.063066959 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:05.067979097 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.229546070 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.235908985 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:05.241631031 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.413662910 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.413676023 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.413695097 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.413768053 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:05.454911947 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:05.456653118 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:05.461582899 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.622407913 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.635878086 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:05.640666962 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.801407099 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.802545071 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:05.807418108 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.968107939 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:05.969196081 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:05.974001884 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.142059088 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.144371986 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:06.149298906 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.310466051 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.310795069 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:06.315843105 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.481287956 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.481585026 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:06.486500978 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.647078991 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.647787094 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:06.647855997 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:06.647855997 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:06.647891998 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:00:06.652635098 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.652645111 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.652808905 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.652812958 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.911539078 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:00:06.954910994 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:01:44.267761946 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Sep 30, 2024 12:01:44.275836945 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:01:44.437308073 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 |
Sep 30, 2024 12:01:44.441055059 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 30, 2024 12:00:04.242849112 CEST | 55061 | 53 | 192.168.2.5 | 1.1.1.1 |
Sep 30, 2024 12:00:04.318491936 CEST | 53 | 55061 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 30, 2024 12:00:04.242849112 CEST | 192.168.2.5 | 1.1.1.1 | 0x20f8 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 30, 2024 12:00:04.318491936 CEST | 1.1.1.1 | 192.168.2.5 | 0x20f8 | No error (0) | zqamcx.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Sep 30, 2024 12:00:04.318491936 CEST | 1.1.1.1 | 192.168.2.5 | 0x20f8 | No error (0) | 78.110.166.82 | A (IP address) | IN (0x0001) | false |
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Sep 30, 2024 12:00:04.896373987 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 | 220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Mon, 30 Sep 2024 11:00:04 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Sep 30, 2024 12:00:04.896959066 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 | EHLO 210395 |
Sep 30, 2024 12:00:05.062889099 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 | 250-cphost14.qhoster.net Hello 210395 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP |
Sep 30, 2024 12:00:05.063066959 CEST | 49704 | 587 | 192.168.2.5 | 78.110.166.82 | STARTTLS |
Sep 30, 2024 12:00:05.229546070 CEST | 587 | 49704 | 78.110.166.82 | 192.168.2.5 | 220 TLS go ahead |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 05:59:56 |
Start date: | 30/09/2024 |
Path: | C:\Users\user\Desktop\z1quote93039-pdf.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1'200'301 bytes |
MD5 hash: | 1B772B5B66B9ADC3B67EAE3627E75059 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 06:00:01 |
Start date: | 30/09/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x9f0000 |
File size: | 45'984 bytes |
MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | false |
Execution Graph
Execution Coverage: | 12.1% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 21 |
Total number of Limit Nodes: | 4 |
Graph
Function 060F0040 Relevance: 8.4, Strings: 6, Instructions: 941COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060F5750 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060FDD73 Relevance: 2.8, Strings: 2, Instructions: 344COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B59B18 Relevance: 2.8, Instructions: 2842COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B5CE68 Relevance: 2.3, Instructions: 2312COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060F3F30 Relevance: .8, Instructions: 812COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060F9B68 Relevance: .6, Instructions: 634COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060F2B08 Relevance: .6, Instructions: 583COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060F8C08 Relevance: .6, Instructions: 569COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B54A88 Relevance: .3, Instructions: 266COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B53E70 Relevance: .2, Instructions: 238COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B56EC0 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060FE218 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060FE300 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B5F3DD Relevance: 1.4, Strings: 1, Instructions: 112COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B56F60 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B56B6A Relevance: 1.3, Strings: 1, Instructions: 76COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B578F3 Relevance: .6, Instructions: 553COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B5934C Relevance: .4, Instructions: 389COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B596C8 Relevance: .4, Instructions: 355COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B54A7F Relevance: .3, Instructions: 259COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B53E64 Relevance: .2, Instructions: 234COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B54800 Relevance: .2, Instructions: 180COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B547F4 Relevance: .2, Instructions: 179COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B56CC5 Relevance: .1, Instructions: 134COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B56CD0 Relevance: .1, Instructions: 132COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B5112B Relevance: .1, Instructions: 112COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B51138 Relevance: .1, Instructions: 109COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B59139 Relevance: .1, Instructions: 98COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B5F2A0 Relevance: .1, Instructions: 97COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B526CC Relevance: .1, Instructions: 93COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B5F2B0 Relevance: .1, Instructions: 91COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B526D8 Relevance: .1, Instructions: 90COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B59237 Relevance: .1, Instructions: 84COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B51690 Relevance: .1, Instructions: 80COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B59248 Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02A8D030 Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B54F7B Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B59148 Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B51878 Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B51373 Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B516A0 Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B51868 Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B54F88 Relevance: .1, Instructions: 68COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B50848 Relevance: .1, Instructions: 62COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B50838 Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B517B0 Relevance: .1, Instructions: 58COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B51478 Relevance: .1, Instructions: 58COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02A8D02B Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B51488 Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B540EF Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B580D8 Relevance: .0, Instructions: 37COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B57078 Relevance: .0, Instructions: 34COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B580E8 Relevance: .0, Instructions: 33COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060F5058 Relevance: 13.0, Strings: 10, Instructions: 477COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060F49D8 Relevance: 9.2, Strings: 7, Instructions: 442COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060F321F Relevance: 2.9, Strings: 2, Instructions: 413COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 060FBD88 Relevance: 1.8, Strings: 1, Instructions: 578COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02B541B8 Relevance: .3, Instructions: 281COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|