Windows
Analysis Report
KJKJJJECFI.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- KJKJJJECFI.exe (PID: 380 cmdline:
"C:\Users\ user\Deskt op\KJKJJJE CFI.exe" MD5: CE355F68F7FB9BCC5A1E140DA2398489) - cmd.exe (PID: 892 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - explorer.exe (PID: 2792 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8)
- Sendevsvc.exe (PID: 6048 cmdline:
"C:\Users\ user\AppDa ta\Roaming \NBFoundat ion\Sendev svc.exe" MD5: CE355F68F7FB9BCC5A1E140DA2398489)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Amadey | Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. | No Attribution |
{"C2 url": "pleasurecanbesafe.com/7vAficZogD/index.php", "Version": "4.18"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Click to see the 15 entries |
System Summary |
---|
Source: | Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: |
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Binary or memory string: | memstr_e2355f6c-3 |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | URLs: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | LNK file: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Module Loaded: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | NtSetInformationThread: | Jump to behavior | ||
Source: | NtQuerySystemInformation: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Section loaded: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_01047996 |
Stealing of Sensitive Information |
---|
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 11 DLL Side-Loading | 312 Process Injection | 11 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Abuse Elevation Control Mechanism | 312 Process Injection | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 11 DLL Side-Loading | 1 Abuse Elevation Control Mechanism | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 DLL Side-Loading | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 12 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
88% | ReversingLabs | Win32.Spyware.Lummastealer | ||
68% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | HEUR/AGEN.1319380 | ||
100% | Joe Sandbox ML | |||
83% | ReversingLabs | Win32.Trojan.Amadey | ||
76% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | phishing | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
18% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
www.math.utah.edu | 155.101.98.133 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| low | |
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
155.101.98.133 | www.math.utah.edu | United States | 17055 | UTAHUS | false |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1420081 |
Start date and time: | 2024-04-04 12:36:09 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 49s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | KJKJJJECFI.exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.expl.evad.winEXE@7/4@1/1 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target KJKJJJECFI.exe, PID 380 because there are no executed function
- Execution Graph export aborted for target Sendevsvc.exe, PID 6048 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
12:36:55 | API Interceptor | |
12:37:10 | Autostart | |
12:37:11 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
155.101.98.133 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Amadey | Browse | |||
Get hash | malicious | AsyncRAT | Browse | |||
Get hash | malicious | AsyncRAT | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
www.math.utah.edu | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Amadey | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
UTAHUS | Get hash | malicious | Mirai, Gafgyt | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Amadey | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | GuLoader, Lokibot | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
|
Process: | C:\Users\user\Desktop\KJKJJJECFI.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 27645 |
Entropy (8bit): | 5.154952528259852 |
Encrypted: | false |
SSDEEP: | 384:uvVzoGQocsTVqly+F3kfbmg6OtGCqUx/BRvNy4Ifq93HE/N4GjDgbJwefnmccFsx:uv5ojDaE50mupBx3vNfKa2DgbJz1MsuG |
MD5: | 3BCAC0C44DB080CE09E54DA0902D215B |
SHA1: | 63FD5AA932400DB98514798180CB3AFB9039F622 |
SHA-256: | E2BDD382B97FE8630663685ADC8C718E67C405B4D66AC54F9FA5BA5DC04A8D07 |
SHA-512: | DD3D302DB6846CBD3611C94A1D48B0F57217EA7B154FBA29421135E72AFBFF155054FDF5D0F6DEE4AF1BEF77BAEBF77A21B717E873D474B7231CE58123D63000 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\KJKJJJECFI.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1124138 |
Entropy (8bit): | 7.621968104191185 |
Encrypted: | false |
SSDEEP: | 24576:qJEj1Ac2DN95fgVDOoUWlpUzNT6W6TZHXAQqSzH2JVkDC1zfMWXwNh1:qKjWc2D35fgVDOoBlpUBTbQZHXAQqSDh |
MD5: | 04AFEC2C99CD93234E4FF565A7D19794 |
SHA1: | 61321775F904DB8AC0B19ABF3EBF84D4D84BC9DD |
SHA-256: | C563247275EEEC2A8C9C6A486AED1858B2FA5FED674C4EE3E171D138B66BEAC8 |
SHA-512: | 525B58B15897EAF13F57706EA8DC4837DC93E58EC8DD1E59E5BF2DDAAB832C4E68E022761625D2166BEC28BAEF070F4E98B9D4A6B9C037247D4EA1DCDC207048 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 912 |
Entropy (8bit): | 5.076432546061586 |
Encrypted: | false |
SSDEEP: | 12:8T2IKe4f8Ed88CTlsY//6dL6/raCslnUQd8SKmr4AjAbnHXYLJg+0hpmV:8T2ff8EO8IZSpvWQAML63pm |
MD5: | AEB050D811A6A888EA7862E28F0A744E |
SHA1: | D6D2C44432BD89C62634F991ED5A8890B7A6EBBB |
SHA-256: | 8C829AD064618C8AB75F11130A027A28B179327335897EF07DF2E47245F0DED3 |
SHA-512: | FDB8E1F9363CA88892FDD3CA56FCA0051154C7800CCC5E56FA59D21FC33B97FCB5D43DD633411861F1B1EADE366BD80D6ED54C608BA5C916B5343617E74032E4 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 429568 |
Entropy (8bit): | 6.513117480954766 |
Encrypted: | false |
SSDEEP: | 12288:xIp0oG34tODC5TPCZzynB/qupORs7HwNI:I0V34tOCV6yVyI |
MD5: | 3E36745728E1302C0DD36455A818DA59 |
SHA1: | 83207703EE94B56A583D676FD281A1078832798C |
SHA-256: | 8B224791DCD7DD8337A5115B432E1B847F6D5D418BADB39BC0F50C19981C9D9A |
SHA-512: | 384817845E81CC864C7488CF06E9CF1C5F81262D4474A7DD5A8C4E92F7A1D7EA1162ED9092383107291B9870FD986CE099349FA9B819FF730203712EA9310908 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.02894012544124 |
TrID: |
|
File name: | KJKJJJECFI.exe |
File size: | 6'699'592 bytes |
MD5: | ce355f68f7fb9bcc5a1e140da2398489 |
SHA1: | 917b5d290b3a0a28e092ccd53d6f9206223d9293 |
SHA256: | 56fd2541a36680249ec670d07a5682d2ef5a343d1feccbcf2c3da86bd546af85 |
SHA512: | 69e19e29b0d72b444288d6f575cb0b65066495c609ecb4a476b929837299f54cedf1704475928d8683e17aedb74a5af993a84ea3c2f2e75af1cc2e48c4f87637 |
SSDEEP: | 196608:6BBgUSIC1sbmHSZ9S8OqHRKrxQe5Ajz+T0:6BBgUSIC1sbWSZ9BzxExQ/z+T0 |
TLSH: | 8A66BF02F9D18471E1630231356DB7AAADBDA9618B31D5CFB78C162E8F309C19B37B91 |
File Content Preview: | MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$..........`..a3..a3..a3)R.3..a3)R.3P.a3)R.3..a3...3..a3..e2..a3..b2..a3<.e2..a3..d2..a3...3..a3...3..a3..a3..a3..e2..a3..k3..a3...3..a |
Icon Hash: | 499669d8d82916a8 |
Entrypoint: | 0x556cb4 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x65703BBA [Wed Dec 6 09:15:38 2023 UTC] |
TLS Callbacks: | 0x70518c |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 101a1ec978d0316fc91f9ad0f1533e6b |
Signature Valid: | false |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | EAE713DFC05244CF4301BF1C9F68B1BE |
Thumbprint SHA-1: | 9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE |
Thumbprint SHA-256: | 9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF |
Serial: | 0DBF152DEAF0B981A8A938D53F769DB8 |
Instruction |
---|
call 00007F32A07D931Fh |
jmp 00007F32A07D846Fh |
mov ecx, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], ecx |
pop ecx |
pop edi |
pop edi |
pop esi |
pop ebx |
mov esp, ebp |
pop ebp |
push ecx |
ret |
mov ecx, dword ptr [ebp-10h] |
xor ecx, ebp |
call 00007F32A07D7AF3h |
jmp 00007F32A07D85D2h |
mov ecx, dword ptr [ebp-14h] |
xor ecx, ebp |
call 00007F32A07D7AE4h |
jmp 00007F32A07D85C3h |
push eax |
push dword ptr fs:[00000000h] |
lea eax, dword ptr [esp+0Ch] |
sub esp, dword ptr [esp+0Ch] |
push ebx |
push esi |
push edi |
mov dword ptr [eax], ebp |
mov ebp, eax |
mov eax, dword ptr [008B58E8h] |
xor eax, ebp |
push eax |
push dword ptr [ebp-04h] |
mov dword ptr [ebp-04h], FFFFFFFFh |
lea eax, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], eax |
ret |
push eax |
push dword ptr fs:[00000000h] |
lea eax, dword ptr [esp+0Ch] |
sub esp, dword ptr [esp+0Ch] |
push ebx |
push esi |
push edi |
mov dword ptr [eax], ebp |
mov ebp, eax |
mov eax, dword ptr [008B58E8h] |
xor eax, ebp |
push eax |
mov dword ptr [ebp-10h], eax |
push dword ptr [ebp-04h] |
mov dword ptr [ebp-04h], FFFFFFFFh |
lea eax, dword ptr [ebp-0Ch] |
mov dword ptr fs:[00000000h], eax |
ret |
push eax |
push dword ptr fs:[00000000h] |
lea eax, dword ptr [esp+0Ch] |
sub esp, dword ptr [esp+0Ch] |
push ebx |
push esi |
push edi |
mov dword ptr [eax], ebp |
mov ebp, eax |
mov eax, dword ptr [008B58E8h] |
xor eax, ebp |
push eax |
mov dword ptr [ebp-10h], esp |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4b1400 | 0x1a4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4e5000 | 0x163444 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x65f400 | 0x4648 | .reloc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x649000 | 0x331d6 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x4774d0 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x477540 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x397bd8 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x37d000 | 0x908 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x4b139c | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x37b7f3 | 0x37b800 | f4cff882e51783311699ec8eac1a9885 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x37d000 | 0x137408 | 0x137600 | a553269feef5c20192e3ac241e8b003f | False | 0.3314800469189081 | data | 5.05991244260527 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x4b5000 | 0x2f9a4 | 0x15a00 | a098909401b0880bba6cc5f95248ed55 | False | 0.21347769147398843 | data | 5.132238992675893 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x4e5000 | 0x163444 | 0x163600 | 4bb24fe2e41d22f3596255ece9cc16cd | False | 0.6922746108863876 | data | 7.6192929340838305 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x649000 | 0x33134 | 0x33200 | 516ef0ba9663e1f2219d5ecaf18d414f | False | 0.498476658007335 | GLS_BINARY_LSB_FIRST | 6.547441120857822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
BAO | 0x4e8378 | 0xd6dde | PNG image data, 1024 x 768, 8-bit/color RGBA, non-interlaced | English | United States | 0.9607394210163914 |
IMG | 0x5bf158 | 0x584 | PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.7889518413597734 |
IMG | 0x5bf6dc | 0x72 | PNG image data, 4 x 4, 8-bit/color RGB, non-interlaced | Chinese | China | 0.9912280701754386 |
IMG | 0x5bf750 | 0x2c5 | PNG image data, 112 x 14, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0155148095909732 |
IMG | 0x5bfa18 | 0x67 | PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.9805825242718447 |
IMG | 0x5bfa80 | 0x52b | PNG image data, 42 x 60, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.7898715041572184 |
IMG | 0x5bffac | 0x114 | PNG image data, 8 x 7, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0181159420289856 |
IMG | 0x5c00c0 | 0x2f2 | PNG image data, 96 x 32, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0145888594164456 |
IMG | 0x5c03b4 | 0x80d | PNG image data, 21 x 21, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.881125667151868 |
IMG | 0x5c0bc4 | 0x191 | PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.027431421446384 |
IMG | 0x5c0d58 | 0x5e5 | PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.8210735586481114 |
IMG | 0x5c1340 | 0x235 | PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0194690265486726 |
IMG | 0x5c1578 | 0x191 | PNG image data, 18 x 18, 8-bit colormap, non-interlaced | Chinese | China | 1.027431421446384 |
IMG | 0x5c170c | 0x5b4 | PNG image data, 18 x 18, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.8136986301369863 |
IMG | 0x5c1cc0 | 0x533 | PNG image data, 32 x 24, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0082644628099173 |
IMG | 0x5c21f4 | 0x1ac | PNG image data, 54 x 10, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0257009345794392 |
IMG | 0x5c23a0 | 0x14c | PNG image data, 20 x 20, 8-bit colormap, non-interlaced | Chinese | China | 0.7891566265060241 |
IMG | 0x5c24ec | 0x1a5 | PNG image data, 96 x 32, 8-bit/color RGB, non-interlaced | Chinese | China | 1.0261282660332542 |
IMG | 0x5c2694 | 0x1a2 | PNG image data, 20 x 20, 8-bit colormap, non-interlaced | Chinese | China | 0.7655502392344498 |
IMG | 0x5c2838 | 0x230 | PNG image data, 44 x 24, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.019642857142857 |
IMG | 0x5c2a68 | 0x4df | PNG image data, 112 x 16, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.008821170809944 |
IMG | 0x5c2f48 | 0x8ba | PNG image data, 112 x 16, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.004923903312444 |
IMG | 0x5c3804 | 0x404 | PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0107003891050583 |
IMG | 0x5c3c08 | 0x50d | PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.008507347254447 |
IMG | 0x5c4118 | 0x49a | PNG image data, 160 x 20, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0093378607809846 |
IMG | 0x5c45b4 | 0x49d | PNG image data, 160 x 20, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0093141405588484 |
IMG | 0x5c4a54 | 0x8f | PNG image data, 210 x 85, 2-bit colormap, non-interlaced | Chinese | China | 0.9300699300699301 |
IMG | 0x5c4ae4 | 0x8f | PNG image data, 210 x 85, 2-bit colormap, non-interlaced | Chinese | China | 0.958041958041958 |
IMG | 0x5c4b74 | 0x97 | PNG image data, 210 x 85, 2-bit colormap, non-interlaced | Chinese | China | 0.9668874172185431 |
IMG | 0x5c4c0c | 0x14e | PNG image data, 50 x 40, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.9970059880239521 |
IMG | 0x5c4d5c | 0x2dd | PNG image data, 112 x 14, 8-bit colormap, non-interlaced | Chinese | China | 0.9822646657571623 |
IMG | 0x5c503c | 0x67 | PNG image data, 14 x 14, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.9805825242718447 |
IMG | 0x5c50a4 | 0x6b0 | PNG image data, 96 x 32, 8-bit colormap, non-interlaced | Chinese | China | 1.0064252336448598 |
IMG | 0x5c5754 | 0x579 | PNG image data, 96 x 32, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0078515346181298 |
IMG | 0x5c5cd0 | 0xc8a | PNG image data, 100 x 100, 8-bit colormap, non-interlaced | Chinese | China | 1.0034267912772585 |
IMG | 0x5c695c | 0x592 | PNG image data, 84 x 28, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0077138849929874 |
IMG | 0x5c6ef0 | 0x5df | PNG image data, 78 x 26, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0073186959414504 |
IMG | 0x5c74d0 | 0x167 | PNG image data, 78 x 26, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.9805013927576601 |
IMG | 0x5c7638 | 0x862 | PNG image data, 78 x 26, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.005125815470643 |
IMG | 0x5c7e9c | 0x69a | PNG image data, 96 x 32, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.006508875739645 |
IMG | 0x5c8538 | 0x45a | PNG image data, 71 x 48, 8-bit colormap, non-interlaced | Chinese | China | 1.0098743267504489 |
IMG | 0x5c8994 | 0x5ba | PNG image data, 71 x 48, 8-bit colormap, non-interlaced | Chinese | China | 1.0075034106412006 |
IMG | 0x5c8f50 | 0xac | PNG image data, 26 x 26, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.9593023255813954 |
IMG | 0x5c8ffc | 0x96 | PNG image data, 80 x 5, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.98 |
IMG | 0x5c9094 | 0x70 | PNG image data, 80 x 5, 8-bit/color RGB, non-interlaced | Chinese | China | 1.0 |
IMG | 0x5c9104 | 0x5d | PNG image data, 4 x 1, 8-bit/color RGB, non-interlaced | Chinese | China | 0.989247311827957 |
IMG | 0x5c9164 | 0x5c | PNG image data, 4 x 1, 8-bit/color RGB, non-interlaced | Chinese | China | 0.9891304347826086 |
IMG | 0x5c91c0 | 0x5f6 | PNG image data, 71 x 48, 8-bit colormap, non-interlaced | Chinese | China | 1.0072083879423328 |
IMG | 0x5c97b8 | 0x821 | PNG image data, 81 x 27, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0052859202306583 |
IMG | 0x5c9fdc | 0x3d6 | PNG image data, 81 x 27, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0112016293279023 |
IMG | 0x5ca3b4 | 0xd3 | PNG image data, 8 x 7, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0 |
IMG | 0x5ca488 | 0x95 | PNG image data, 8 x 7, 4-bit colormap, non-interlaced | Chinese | China | 0.9731543624161074 |
IMG | 0x5ca520 | 0x90 | PNG image data, 8 x 7, 4-bit colormap, non-interlaced | Chinese | China | 0.9097222222222222 |
IMG | 0x5ca5b0 | 0x2dd | PNG image data, 28 x 48, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.015006821282401 |
IMG | 0x5ca890 | 0x2c1 | PNG image data, 28 x 48, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0156028368794325 |
IMG | 0x5cab54 | 0x16b8 | PNG image data, 552 x 418, 8-bit colormap, non-interlaced | Chinese | China | 0.967503438789546 |
IMG | 0x5cc20c | 0x4bd | PNG image data, 125 x 418, 2-bit colormap, non-interlaced | Chinese | China | 1.0090684253915911 |
IMG | 0x5cc6cc | 0x4c6 | PNG image data, 125 x 418, 2-bit colormap, non-interlaced | Chinese | China | 1.0090016366612111 |
IMG | 0x5ccb94 | 0x395 | PNG image data, 72 x 24, 8-bit colormap, non-interlaced | Chinese | China | 0.8767720828789531 |
IMG | 0x5ccf2c | 0x445 | PNG image data, 51 x 24, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.6989935956084172 |
IMG | 0x5cd374 | 0x13c | PNG image data, 51 x 24, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.9715189873417721 |
IMG | 0x5cd4b0 | 0x191 | PNG image data, 100 x 24, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0124688279301746 |
IMG | 0x5cd644 | 0x4dd | PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.7726907630522089 |
LAYOUT | 0x5cdb24 | 0x78e | Unicode text, UTF-8 (with BOM) text | Chinese | China | 0.2828335056876939 |
LAYOUT | 0x5ce2b4 | 0xc2d | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.29547641963426374 |
LAYOUT | 0x5ceee4 | 0x126 | Unicode text, UTF-8 (with BOM) text | Chinese | China | 0.7448979591836735 |
LAYOUT | 0x5cf00c | 0xce | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.7815533980582524 |
LAYOUT | 0x5cf0dc | 0xb50 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.31353591160220995 |
LAYOUT | 0x5cfc2c | 0xbb | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.7272727272727273 |
LAYOUT | 0x5cfce8 | 0x73c | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.4087473002159827 |
LAYOUT | 0x5d0424 | 0x1703 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.246477677813614 |
LAYOUT | 0x5d1b28 | 0x759 | HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.42955874534821903 |
LAYOUT | 0x5d2284 | 0x7f2 | exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.4444444444444444 |
LAYOUT | 0x5d2a78 | 0x1ff | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.6301369863013698 |
LAYOUT | 0x5d2c78 | 0x350 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.4834905660377358 |
LAYOUT | 0x5d2fc8 | 0x221 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.5853211009174312 |
LAYOUT | 0x5d31ec | 0x80e | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.3617846750727449 |
LAYOUT | 0x5d39fc | 0x11f | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.7317073170731707 |
LAYOUT | 0x5d3b1c | 0x6ba | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.4645760743321719 |
LAYOUT | 0x5d41d8 | 0x29e | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.5432835820895522 |
LAYOUT | 0x5d4478 | 0x69c | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.41371158392434987 |
LAYOUT | 0x5d4b14 | 0x668 | exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.4304878048780488 |
LAYOUT | 0x5d517c | 0x4f5 | Unicode text, UTF-8 (with BOM) text | Chinese | China | 0.3979511426319937 |
LAYOUT | 0x5d5674 | 0xbb | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.7272727272727273 |
LAYOUT | 0x5d5730 | 0x9c2 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.3366693354683747 |
LAYOUT | 0x5d60f4 | 0x27b | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.5291338582677165 |
LAYOUT | 0x5d6370 | 0x4fa | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.4073783359497645 |
LAYOUT | 0x5d686c | 0xcc | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.7892156862745098 |
LAYOUT | 0x5d6938 | 0xaa0 | Unicode text, UTF-8 (with BOM) text, with very long lines (430), with CRLF line terminators | Chinese | China | 0.35441176470588237 |
LAYOUT | 0x5d73d8 | 0x5af | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.4336769759450172 |
LAYOUT | 0x5d7988 | 0x3d7 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.4313326551373347 |
LAYOUT | 0x5d7d60 | 0x595 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.3198040587823653 |
LAYOUT | 0x5d82f8 | 0x8a0 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.353713768115942 |
LAYOUT | 0x5d8b98 | 0x940 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.16300675675675674 |
LAYOUT | 0x5d94d8 | 0x202b | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.19368548876745598 |
LAYOUT | 0x5db504 | 0x927 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.39479300042680326 |
LAYOUT | 0x5dbe2c | 0x60d | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.4525500322788896 |
LAYOUT | 0x5dc43c | 0x67e | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.3953068592057762 |
LAYOUT | 0x5dcabc | 0x2aa | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.6085043988269795 |
LAYOUT | 0x5dcd68 | 0x9ea | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.3195429472025217 |
LAYOUT | 0x5dd754 | 0x54c | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.47271386430678464 |
LAYOUT | 0x5ddca0 | 0x1a42 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.19994049390062482 |
LAYOUT | 0x5df6e4 | 0x7db | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.3545499751367479 |
LAYOUT | 0x5dfec0 | 0x69f | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.3775811209439528 |
LAYOUT | 0x5e0560 | 0x59d | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.37230340988169797 |
LAYOUT | 0x5e0b00 | 0x562 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.4462989840348331 |
LAYOUT | 0x5e1064 | 0x1216 | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.30107991360691144 |
LAYOUT | 0x5e227c | 0x17d | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.6482939632545932 |
LAYOUT | 0x5e23fc | 0x22b | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.6072072072072072 |
PNG | 0x5e2628 | 0x4a8 | PNG image data, 52 x 26, 8-bit/color RGB, non-interlaced | Chinese | China | 0.735738255033557 |
PNG | 0x5e2ad0 | 0x108f | PNG image data, 114 x 25, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0025949516395376 |
PNG | 0x5e3b60 | 0xe73 | PNG image data, 108 x 25, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0029737766964044 |
PNG | 0x5e49d4 | 0xd7c | PNG image data, 108 x 25, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0031865585168018 |
PNG | 0x5e5750 | 0x3ee7 | PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.11097311060050923 |
PNG | 0x5e9638 | 0x1fa | PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0217391304347827 |
PNG | 0x5e9834 | 0xf37 | PNG image data, 108 x 25, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.002824133504493 |
PNG | 0x5ea76c | 0xdb9 | PNG image data, 120 x 15, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0031312268716197 |
PNG | 0x5eb528 | 0xcf2 | PNG image data, 48 x 16, 8-bit/color RGB, non-interlaced | Chinese | China | 1.0033192516596259 |
PNG | 0x5ec21c | 0xb1f | PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0038637161924833 |
PNG | 0x5ecd3c | 0xcdf | PNG image data, 15 x 15, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0033383915022762 |
PNG | 0x5eda1c | 0x715 | PNG image data, 360 x 35, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0060672917815774 |
PNG | 0x5ee134 | 0x1867 | PNG image data, 192 x 16, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0017608452056987 |
PNG | 0x5ef99c | 0xb79 | PNG image data, 32 x 16, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.00374531835206 |
PNG | 0x5f0518 | 0xb87 | PNG image data, 26 x 26, 8-bit/color RGB, non-interlaced | Chinese | China | 1.0037275499830567 |
PNG | 0x5f10a0 | 0xdd0 | PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0031108597285068 |
PNG | 0x5f1e70 | 0xaf7 | PNG image data, 50 x 2, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0039187744923406 |
PNG | 0x5f2968 | 0xb97 | PNG image data, 200 x 26, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0037074486012807 |
PNG | 0x5f3500 | 0xe6 | PNG image data, 9 x 8, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0304347826086957 |
PNG | 0x5f35e8 | 0x1ca | PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0240174672489082 |
PNG | 0x5f37b4 | 0x1163 | PNG image data, 120 x 15, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0024713547517412 |
PNG | 0x5f4918 | 0x1361 | PNG image data, 144 x 48, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0022172949002217 |
PNG | 0x5f5c7c | 0x1650 | PNG image data, 80 x 20, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0019257703081232 |
PNG | 0x5f72cc | 0xd14 | PNG image data, 15 x 30, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0032855436081243 |
PNG | 0x5f7fe0 | 0xd0a | PNG image data, 15 x 30, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0032953864589575 |
PNG | 0x5f8cec | 0xc37 | PNG image data, 85 x 6, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0035177486408697 |
PNG | 0x5f9924 | 0xc3c | PNG image data, 6 x 85, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0035121328224776 |
PNG | 0x5fa560 | 0x3fa | PNG image data, 282 x 38, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0108055009823183 |
PNG | 0x5fa95c | 0xfc8 | PNG image data, 153 x 17, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0027227722772276 |
PNG | 0x5fb924 | 0x186 | PNG image data, 162 x 18, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.9153846153846154 |
PNG | 0x5fbaac | 0xca2 | PNG image data, 102 x 17, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0034013605442176 |
PNG | 0x5fc750 | 0xb67 | PNG image data, 8 x 9, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0037684138403562 |
PNG | 0x5fd2b8 | 0x1ca | PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced | Chinese | China | 1.0240174672489082 |
PNG | 0x5fd484 | 0x50f | PNG image data, 13 x 85, 8-bit/color RGBA, non-interlaced | Chinese | China | 0.7598455598455598 |
SKIN | 0x5fd994 | 0x18d0 | JSON data | Chinese | China | 0.13759445843828716 |
SMENU | 0x5ff264 | 0x6ea | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.29774011299435027 |
SMENU | 0x5ff950 | 0x6ee | Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.2993235625704622 |
TRANSLATOR | 0x600040 | 0xa1a8 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.17912719891745602 |
TRANSLATOR | 0x60a1e8 | 0xab9d | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.1740149773518767 |
TRANSLATOR | 0x614d88 | 0xaeb6 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (304), with CRLF line terminators | Chinese | China | 0.16918570853642176 |
TRANSLATOR | 0x61fc40 | 0xac36 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.16683300821122352 |
TRANSLATOR | 0x62a878 | 0xaa1d | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.16748949459229834 |
TRANSLATOR | 0x635298 | 0xa20b | XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators | Chinese | China | 0.17860328327266592 |
TRANSLATOR | 0x63f4a4 | 0x9c | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.9230769230769231 |
UIDEF | 0x63f540 | 0xa6b | XML 1.0 document, Unicode text, UTF-8 (with BOM) text | Chinese | China | 0.29733783277090364 |
VALUES | 0x63ffac | 0xe2 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.6238938053097345 |
VALUES | 0x640090 | 0x2c45 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (317), with CRLF line terminators | Chinese | China | 0.17709344392482132 |
VALUES | 0x642cd8 | 0x9fc | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.3877151799687011 |
XML | 0x6436d4 | 0x135 | ASCII text, with CRLF line terminators | Chinese | China | 0.5436893203883495 |
XML | 0x64380c | 0x6e5 | HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | Chinese | China | 0.42039660056657224 |
XML | 0x643ef4 | 0xbe4 | ASCII text, with CRLF line terminators | Chinese | China | 0.2585413929040736 |
RT_CURSOR | 0x644ad8 | 0x8ac | Targa image data 64 x 65536 x 1 +32 "\010" | Chinese | China | 0.06531531531531531 |
RT_ICON | 0x645384 | 0x1b8e | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.9167848029486816 | ||
RT_ICON | 0x646f14 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 0 | 0.299390243902439 | ||
RT_ICON | 0x64757c | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | 0.478494623655914 | ||
RT_ICON | 0x647864 | 0x1e8 | Device independent bitmap graphic, 24 x 48 x 4, image size 0 | 0.48155737704918034 | ||
RT_ICON | 0x647a4c | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | 0.597972972972973 | ||
RT_GROUP_CURSOR | 0x647b74 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.25 |
RT_GROUP_ICON | 0x647b88 | 0x4c | data | 0.8026315789473685 | ||
RT_VERSION | 0x647bd4 | 0x250 | data | English | United States | 0.4814189189189189 |
RT_MANIFEST | 0x647e24 | 0x61f | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1507), with CRLF line terminators | English | United States | 0.400765794511806 |
DLL | Import |
---|---|
WINMM.dll | timeKillEvent, mciSendStringW, timeSetEvent |
WTSAPI32.dll | WTSRegisterSessionNotification, WTSUnRegisterSessionNotification |
KERNEL32.dll | DeleteFileW, GetFileAttributesExW, GetCurrentDirectoryW, MapViewOfFile, GetVolumeInformationW, GetFileAttributesW, SetFilePointerEx, SetEndOfFile, FlushFileBuffers, GetFileInformationByHandle, CreateToolhelp32Snapshot, GetFileSizeEx, FormatMessageW, SystemTimeToFileTime, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetVersionExW, GetSystemInfo, GetSystemDirectoryW, GetTimeZoneInformation, GetUserDefaultLangID, FindFirstChangeNotificationW, FindCloseChangeNotification, WaitForMultipleObjects, FindNextChangeNotification, Process32FirstW, Process32NextW, ResetEvent, OpenFileMappingW, IsBadReadPtr, GetSystemTime, GetCurrentDirectoryA, GetModuleFileNameA, GetVersionExA, HeapCreate, FreeResource, GetFullPathNameW, SleepEx, VerSetConditionMask, QueryPerformanceFrequency, VerifyVersionInfoW, QueryPerformanceCounter, MoveFileExA, GetSystemTimeAsFileTime, CompareFileTime, GetFileType, GetStdHandle, PeekNamedPipe, FormatMessageA, InterlockedDecrement, CreateFileMappingW, GetFileSize, WriteFile, UnmapViewOfFile, SuspendThread, lstrlenA, InterlockedIncrement, GlobalAlloc, GlobalLock, GetThreadContext, VirtualFree, VirtualAlloc, FlushInstructionCache, VirtualProtect, GetEnvironmentVariableW, GetEnvironmentVariableA, CreateProcessW, ResumeThread, TerminateProcess, ReadProcessMemory, LoadLibraryExA, LoadLibraryA, FindNextFileW, ConvertThreadToFiber, ConvertFiberToThread, CreateFiber, DeleteFiber, SwitchToFiber, ReadConsoleA, SetConsoleMode, WriteConsoleW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, IsValidCodePage, FindFirstFileExW, SetConsoleCtrlHandler, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetConsoleCP, ReadConsoleW, GetConsoleMode, GetACP, GetDriveTypeW, SetStdHandle, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlUnwind, GetStartupInfoW, UnhandledExceptionFilter, GetCPInfo, LocalFree, InitializeCriticalSectionEx, GetStringTypeW, GetExitCodeThread, WaitForSingleObjectEx, IsProcessorFeaturePresent, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, EncodePointer, IsDebuggerPresent, GetLocalTime, OutputDebugStringW, IsBadWritePtr, SetLastError, lstrcmpW, GetCurrentThreadId, ExitProcess, GlobalAddAtomA, Sleep, GetTickCount, InterlockedCompareExchange, FindFirstFileW, FindClose, ReadFile, CreateFileW, GlobalUnlock, MulDiv, GetComputerNameA, WideCharToMultiByte, OutputDebugStringA, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, TerminateThread, GetProcAddress, FreeLibrary, GetLastError, GetCurrentProcess, GetCurrentProcessId, GetCommandLineA, LoadLibraryW, GetModuleHandleA, CloseHandle, SetEvent, CreateEventW, WaitForSingleObject, InitializeCriticalSection, GetProcessHeap, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, HeapDestroy, GetCommandLineW, GetModuleHandleW, SetCurrentDirectoryW, InitializeCriticalSectionAndSpinCount, lstrcmpiW, LockResource, SizeofResource, FindResourceExW, DecodePointer, RaiseException, MultiByteToWideChar, LoadResource, FindResourceW, LoadLibraryExW, GetCurrentThread, GetModuleFileNameW, VirtualQuery, SetUnhandledExceptionFilter |
USER32.dll | IsWindowVisible, GetFocus, GetDlgItem, GetDlgCtrlID, IsChild, GetWindow, SetFocus, RedrawWindow, GetActiveWindow, RegisterClassExW, MessageBoxW, UpdateLayeredWindow, MapVirtualKeyA, CharLowerBuffW, SystemParametersInfoA, DrawTextW, MsgWaitForMultipleObjects, CallNextHookEx, UnhookWindowsHookEx, SetWindowsHookExW, ReleaseDC, GetDC, LoadCursorW, GetClassInfoExW, RegisterWindowMessageW, DefWindowProcW, CreateAcceleratorTableW, FillRect, DestroyAcceleratorTable, GetSysColor, GetParent, ShowWindow, SetWindowPos, DestroyWindow, SendMessageW, UnregisterClassW, CharNextW, OffsetRect, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindow, FindWindowW, GetWindowRect, MonitorFromRect, PostMessageW, UnhookWinEvent, SetWinEventHook, GetForegroundWindow, BringWindowToTop, SetWindowLongW, GetCursorPos, PtInRect, SetForegroundWindow, GetUserObjectInformationW, GetProcessWindowStation, DrawIconEx, CallWindowProcW, WindowFromPoint, EqualRect, IsIconic, MonitorFromPoint, GetSystemMetrics, GetMonitorInfoW, GetAsyncKeyState, UnregisterHotKey, RegisterHotKey, EnumDisplayMonitors, CopyRect, ScreenToClient, GetWindowLongW, MonitorFromWindow, GetClassNameW, GetShellWindow, GetAncestor, ClientToScreen, GetWindowThreadProcessId, SystemParametersInfoW, AttachThreadInput, LockWorkStation, SetCursor, SetCapture, ReleaseCapture, GetDesktopWindow, CreateWindowExW, SetWindowTextW, GetWindowTextW, GetWindowTextLengthW, MoveWindow, GetClientRect, BeginPaint, EndPaint, SetClassLongW, GetClassLongW, RemovePropW, GetPropW, SetPropW, SetMenuContextHelpId, GetMenuItemInfoW, SetMenuInfo, GetMenuInfo, TrackPopupMenu, AppendMenuW, GetMenuItemCount, DestroyMenu, CreatePopupMenu, IsMenu, GetIconInfo, SetLayeredWindowAttributes, EnumDisplayDevicesW, SetTimer, KillTimer, DestroyIcon, SendMessageA, GetWindowDC, GetWindowRgn, IsZoomed, SetSysColors, DestroyCursor, GetKeyState, EnableMenuItem, SetRect, InflateRect, InvalidateRect, SetActiveWindow, IsWindowEnabled, EnableWindow, LoadImageW, CreateIconFromResource, LoadBitmapW, MapWindowPoints, SetCaretPos, HideCaret, GetCaretBlinkTime, CreateCaret, UpdateWindow, GetCapture, AnimateWindow, PostQuitMessage, TrackMouseEvent, PeekMessageW, DispatchMessageW, TranslateMessage, GetMessageW, IsRectEmpty, UnionRect, IntersectRect, InvalidateRgn |
GDI32.dll | ExcludeClipRect, CreateRoundRectRgn, SetGraphicsMode, Rectangle, FrameRgn, SetROP2, CreateRectRgn, SetDeviceGammaRamp, RestoreDC, GetObjectW, GetStockObject, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, CreateSolidBrush, DeleteObject, GetDeviceCaps, SaveDC, EnumFontsW, CreateBitmap, CreateFontIndirectW, SetBkMode, StretchBlt, SetViewportOrgEx, ExtCreateRegion, GetRegionData, IntersectClipRect, SelectClipRgn, CreateDIBSection, GetCurrentObject, GetViewportOrgEx, GetGlyphIndicesW, GetTextExtentPointI, AddFontMemResourceEx, RemoveFontMemResourceEx, SetTextColor, SetTextAlign, GetTextMetricsW, CreatePen, SetWorldTransform, ExtTextOutW, GetTextFaceW, GdiFlush, SelectObject, CreateHatchBrush, EnumFontFamiliesExW, GetCharABCWidthsW, GetFontData, GetGlyphOutlineW, GetOutlineTextMetricsW, GetFontUnicodeRanges |
COMDLG32.dll | ChooseColorW, GetOpenFileNameW |
ADVAPI32.dll | CryptGetUserKey, CryptSignHashW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegNotifyChangeKeyValue, CryptDestroyHash, CryptCreateHash, CryptDecrypt, CryptExportKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, CryptReleaseContext, CryptAcquireContextW, ReportEventW, RegisterEventSourceW, RegQueryValueExW, GetUserNameA, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegCloseKey, RegDeleteKeyW, DeregisterEventSource, CryptEnumProvidersW |
SHELL32.dll | ShellExecuteW, SHCreateDirectoryExW, SHGetSpecialFolderPathW, SHGetSpecialFolderLocation, SHBrowseForFolderW, SHGetPathFromIDListW, SHFileOperationW, Shell_NotifyIconW |
ole32.dll | CreateStreamOnHGlobal, IIDFromString, CreateBindCtx, CoCreateGuid, OleLockRunning, StringFromGUID2, CoGetClassObject, CLSIDFromProgID, CLSIDFromString, CoTaskMemRealloc, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance |
OLEAUT32.dll | LoadTypeLib, LoadRegTypeLib, VariantClear, OleCreateFontIndirect, DispCallFunc, VarUdateFromDate, SysStringLen, VariantInit, SysAllocStringLen, SysFreeString, SysAllocString, VarUI4FromStr, VariantTimeToSystemTime, SystemTimeToVariantTime, VarBstrFromDate |
SHLWAPI.dll | PathAppendW, PathRemoveFileSpecW, PathFindExtensionW, PathIsDirectoryW, PathFileExistsW, StrToIntExW, PathQuoteSpacesW |
gdiplus.dll | GdiplusShutdown, GdiplusStartup, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipSaveImageToFile, GdipGetPropertyItem, GdipGetPropertyItemSize, GdipGraphicsClear, GdipImageGetFrameCount, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipDeleteGraphics, GdipGetImageGraphicsContext, GdipDisposeImage, GdipCreateBitmapFromFile, GdipGetImageEncodersSize, GdipAlloc, GdipFree, GdipGetImageEncoders, GdipImageSelectActiveFrame |
VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeA, GetFileVersionInfoA |
dwmapi.dll | DwmGetWindowAttribute |
WS2_32.dll | getnameinfo, gethostname, sendto, recvfrom, freeaddrinfo, getaddrinfo, select, __WSAFDIsSet, ioctlsocket, listen, htonl, accept, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, socket, setsockopt, ntohs, htons, getsockopt, getsockname, getpeername, connect, bind, WSAGetLastError, send, recv, closesocket, shutdown |
IPHLPAPI.DLL | GetAdaptersInfo |
IMM32.dll | ImmReleaseContext, ImmAssociateContext, ImmGetContext |
CRYPT32.dll | CertGetCertificateContextProperty, CertDuplicateCertificateContext, CertFindCertificateInStore, CertOpenStore, CertOpenSystemStoreA, CertGetIntendedKeyUsage, CertGetEnhancedKeyUsage, CertFreeCertificateContext, CertEnumCertificatesInStore, CertCloseStore |
WLDAP32.dll | |
USP10.dll | ScriptItemize, ScriptFreeCache, ScriptShape |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States | |
Chinese | China |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 4, 2024 12:36:55.038450003 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.038474083 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.038570881 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.047399044 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.047415018 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.428030968 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.428184986 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.627238989 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.627262115 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.627543926 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.627597094 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.630459070 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.676229954 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.814026117 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.814093113 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.997432947 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.997443914 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.997463942 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.997524023 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.997541904 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.997687101 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.997687101 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.997901917 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.997931004 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.997961998 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.997967005 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.997987032 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.997999907 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Apr 4, 2024 12:36:55.998002052 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.998039961 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.998128891 CEST | 49707 | 443 | 192.168.2.5 | 155.101.98.133 |
Apr 4, 2024 12:36:55.998136997 CEST | 443 | 49707 | 155.101.98.133 | 192.168.2.5 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 4, 2024 12:36:54.767431021 CEST | 50333 | 53 | 192.168.2.5 | 1.1.1.1 |
Apr 4, 2024 12:36:55.032830954 CEST | 53 | 50333 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 4, 2024 12:36:54.767431021 CEST | 192.168.2.5 | 1.1.1.1 | 0xe23e | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 4, 2024 12:36:55.032830954 CEST | 1.1.1.1 | 192.168.2.5 | 0xe23e | No error (0) | 155.101.98.133 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.5 | 49707 | 155.101.98.133 | 443 | 380 | C:\Users\user\Desktop\KJKJJJECFI.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-04-04 10:36:55 UTC | 82 | OUT | |
2024-04-04 10:36:55 UTC | 184 | IN | |
2024-04-04 10:36:55 UTC | 16384 | IN | |
2024-04-04 10:36:55 UTC | 11261 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 12:36:53 |
Start date: | 04/04/2024 |
Path: | C:\Users\user\Desktop\KJKJJJECFI.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xef0000 |
File size: | 6'699'592 bytes |
MD5 hash: | CE355F68F7FB9BCC5A1E140DA2398489 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 12:36:55 |
Start date: | 04/04/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x790000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 12:36:55 |
Start date: | 04/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 12:37:13 |
Start date: | 04/04/2024 |
Path: | C:\Windows\SysWOW64\explorer.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x430000 |
File size: | 4'514'184 bytes |
MD5 hash: | DD6597597673F72E10C9DE7901FBA0A8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | true |
Target ID: | 7 |
Start time: | 12:37:18 |
Start date: | 04/04/2024 |
Path: | C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3d0000 |
File size: | 6'699'592 bytes |
MD5 hash: | CE355F68F7FB9BCC5A1E140DA2398489 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |