Windows
Analysis Report
WSNBOfCAfh.exe
Overview
General Information
Sample name: | WSNBOfCAfh.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
Original sample name: | E58E25C8AEF38A1BC6546AEE7A5C94CB534F64D7F4FCFC937A2F5A3AD9191A5F |
Analysis ID: | 1426781 |
MD5: | bcb8cbe530f4f7be6a3901067961ad14 |
SHA1: | 76c49f0c0e66746201e0598b61d46dd39747cd55 |
SHA256: | e58e25c8aef38a1bc6546aee7a5c94cb534f64d7f4fcfc937a2f5a3ad9191a5f |
Infos: | |
Detection
Score: | 3 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
- System is w10x64
- WSNBOfCAfh.exe (PID: 7296 cmdline:
"C:\Users\ user\Deskt op\WSNBOfC Afh.exe" MD5: BCB8CBE530F4F7BE6A3901067961AD14) - WSNBOfCAfh.tmp (PID: 7348 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\is-U 1PO5.tmp\W SNBOfCAfh. tmp" /SL5= "$2042E,95 52580,7772 16,C:\User s\user\Des ktop\WSNBO fCAfh.exe" MD5: 593E2893150FF847791168B00FB97039) - GU.exe (PID: 7784 cmdline:
"C:\Progra m Files (x 86)\GU_202 4\GU.exe" MD5: 5E775346C19A96D094D3D23726E969F6) - splwow64.exe (PID: 7860 cmdline:
C:\Windows \splwow64. exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
- cleanup
Source: | Author: frack113, Nasreddine Bencherchali: |
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Initial sample: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | String found in binary or memory: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | LNK file: | ||
Source: | LNK file: |
Source: | File written: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 6_2_00C61DF1 | |
Source: | Code function: | 6_2_00C61D91 | |
Source: | Code function: | 6_2_00C61D9D | |
Source: | Code function: | 6_2_00C61DA9 | |
Source: | Code function: | 6_2_00C61F41 | |
Source: | Code function: | 6_2_00C61B69 | |
Source: | Code function: | 6_2_00C61E15 | |
Source: | Code function: | 6_2_00C61F29 | |
Source: | Code function: | 6_2_00C61E39 |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Code function: | 6_2_00C61A1C |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | 1 Spearphishing Link | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Process Injection | 2 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 Registry Run Keys / Startup Folder | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 Registry Run Keys / Startup Folder | 1 Process Injection | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 2 System Owner/User Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 2 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 22 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
2% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
1% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | unknown | |||
false |
| unknown | ||
false | unknown | |||
false | unknown | |||
false | high | |||
false |
| unknown | ||
false | low | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | unknown | |||
false | low | |||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1426781 |
Start date and time: | 2024-04-16 16:02:15 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 30s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | WSNBOfCAfh.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
Original Sample Name: | E58E25C8AEF38A1BC6546AEE7A5C94CB534F64D7F4FCFC937A2F5A3AD9191A5F |
Detection: | CLEAN |
Classification: | clean3.winEXE@7/28@0/0 |
EGA Information: |
|
HCA Information: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
16:03:44 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\is-JH8JK.tmp\_isetup\_setup64.tmp | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | PureLog Stealer | Browse | |||
Get hash | malicious | HawkEye, PureLog Stealer | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 130412 |
Entropy (8bit): | 7.720954227926037 |
Encrypted: | false |
SSDEEP: | 3072:wkVjOwP6HOCbC4ffpVC5zk4HjbXABDLoKdnNJj/TD:wOOwCHOCb/DWA4/Axh/j/v |
MD5: | CE7835CF916B0DCF0F629383A7DC6FE2 |
SHA1: | 482EEEDCAA352F5CF49AAE9ED12D9E32F6A572E7 |
SHA-256: | CA8C4E23FA1021FDEB085CD00ED3906926B5B96A0F557F85838DFB4384E5F8B6 |
SHA-512: | D7EA6B7DD4D5E4CC8B132F35A9E63B5AA6597693A12D86E498115FEF8D3211DAEB7E1D0132D25405FE3C8427158F01B3AACD7959A45127FFF3AE9E6699124929 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 540590 |
Entropy (8bit): | 7.996474385181467 |
Encrypted: | true |
SSDEEP: | 12288:61A0N/OlDQVyjwk1QsKZOoptSnkBUuCVaQJ7y1npzTTG0:65NGlcV2QsUYkiuC/72npzPG0 |
MD5: | B986DAC9A06FA07A44A1FA7A18260ACA |
SHA1: | 67F3C7E14F4358A613BA7AC342B4D4E7449EA175 |
SHA-256: | CA72FA47FD9781C03C6CFCC20BC92603B38605B455956B2194F38E0BD0A5AF22 |
SHA-512: | 0F99A690E1C8D154EEFF0F4AAD37E0E5D3560BD5C3279C85F0EDAF2B2126D738CB32E9CADC7D662CE87499AA9F53F96FCBBD2506A9667AF5C6F365E81DC062A1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 200579 |
Entropy (8bit): | 6.506268470787151 |
Encrypted: | false |
SSDEEP: | 3072:VY/TukgOPvop2wozXcsiwSZ1IWJeyP/3GPubNbRDD4:VYrZhw8e1I18v8mDD4 |
MD5: | 704B2DE1C6C7BA5D16B2B548135CEA83 |
SHA1: | 9B9D27C4E2024F66330E9B5BF68271CFD358FA44 |
SHA-256: | 9A7C52A5F843764F1DA02983B7F11D3839EF3C46991D6524C70F356A93223071 |
SHA-512: | E43D5729A89722E5C44E050C1F7AAA2112B13B8F6704D386CF6D27AD373F43DD646DE88CFE2BD0A94AC9EF1DF99EE35B0F120342B40DBA0936A87F5FF4620D28 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 186130 |
Entropy (8bit): | 6.346261247780766 |
Encrypted: | false |
SSDEEP: | 3072:FjdyHeyOhXuzwxoBuk2QyP/3GPubNbRDeEAG:Xa2ezwxoBukl8v8mDeEAG |
MD5: | 904AB3BC440D3AECF0BB324CE15D1B5E |
SHA1: | 68261643FF9851A4BA0F8ECE155C23C9CD626848 |
SHA-256: | 9ACC623CE241AF98FBBD5FB0A6C85DC01084556496DCD76CAF04A3A036B528BF |
SHA-512: | C505164D1E154F7DA9FA6214B51ACB35DE17861E53838A61C558E51F1250F82383819C5EE7FFDC44968C76E7236C00975D8DB71D09284F854E1FD5EB0111AE7C |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 19850752 |
Entropy (8bit): | 6.446730011865548 |
Encrypted: | false |
SSDEEP: | 393216:YXdC7qRxSZSRncIHaPdMhtQz7731jnUvqQgNL:yChrljnUhg |
MD5: | 5E775346C19A96D094D3D23726E969F6 |
SHA1: | 8C67F9716E9176F2705997D70AB1B2BE1282D3B5 |
SHA-256: | 400ACCA53536DE9A5EBBC18F02F0BF21CC6692B5825D2E998DCF043B47AAE20B |
SHA-512: | EAD7BAEC0924B7E188C0A5A03A04B198721DBE2C7169ABBDE3640A9E1D308E5C100421ED815D387C6E26F26E0352B26B0EA48F8CCA1C0FED30CF8320C0D66835 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1053 |
Entropy (8bit): | 5.168890085285299 |
Encrypted: | false |
SSDEEP: | 24:ubjEY+Re0Cy6BvnBBWyATJ4YgUbMs4jgO/:uc80CtvBByiY45 |
MD5: | F6B9BC3938DF32C64E9DF5BD0557234F |
SHA1: | 3351FFAEE9E238E2D1DF5D53FB5A37F8B91B391E |
SHA-256: | BE6004A6DAB48079160EB93A5B7FB9E7FDA6C5D3A14144C80E6A189DA4976C0C |
SHA-512: | 3314A03B1EE0C71786CDFDAF7A2CE340DAB774B1621DCF4BE591A299F8F222128F48986152DBA64E0CC0E66B0708919543020EE073141659E137E379FA08C122 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 26030 |
Entropy (8bit): | 5.4897570254264805 |
Encrypted: | false |
SSDEEP: | 768:pW1iLxKk1zBV+82zmRG8gP80l277/ddmoo1oomoohIIVpf:4IV3IzSlg1s77/ddhf |
MD5: | 29CAAD60C827D0AF69E02B918944C3AE |
SHA1: | CFA01E1443CDF79121474351A782D872A741727C |
SHA-256: | 79FA29A261CBD815357678D08FB42F9EAC626AB44C7C4EF4D482BC04768DFE69 |
SHA-512: | CF56E9E57A9FACBE92894D7AD392F2C888DCF205CD19915302559BA67076A41CCB3504E2A083CC8C89BB726C9C781ACE5E4341BF23AD92C802249176CBC744B7 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 22306200 |
Entropy (8bit): | 5.27183443590215 |
Encrypted: | false |
SSDEEP: | 196608:v/X0jtNMzdavNU+UO8fDWiRaV+eV3g9UWdgK1:XX0jtNMzdavqFO8lNyW |
MD5: | E7A5BDC8731E9B230DE492D2D02F65CD |
SHA1: | 847C43A6374D53E9D89EE0D61737DDADFD00FF79 |
SHA-256: | FFE5E10D3DD08FC6F6504409056CE3F4BF0F5AD5913379A5991503AAA2671A44 |
SHA-512: | 0B65947587CA6E72B79B5FED63B480130F371EC7B67D664E9FF43C805A43969D9A1C8E1B4748A8EBDC6FBE2A30D531C3FD3E6D3B7A8726000A96AF46FC11CB2F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 268 |
Entropy (8bit): | 4.195691050065407 |
Encrypted: | false |
SSDEEP: | 6:U4T4h04/7mIC79eIyg471YVoICd+hAhQ9omgP8FFY:Uxn/7Me371rYhAUgP8FFY |
MD5: | C44732B340B1BBA019C8CC78E932880F |
SHA1: | F45DE24D87DA1EC38629056A0766444F9B7DE363 |
SHA-256: | BBB0E2995035C3EED04C3CDF7C935AAC18844505A7508C95A2F3C66772C2DC87 |
SHA-512: | 4181D251658AF4084A8D13824C38CE8A554C99EBB595B77EF74050ED4332C7B970FFCA980EC87ABC0578D2844502DF9EF0B9121EC114FD969C68B0886F8A4DA7 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 9577 |
Entropy (8bit): | 3.6940300483268698 |
Encrypted: | false |
SSDEEP: | 192:s8/Gd2b7t2bUj+PupcL8NDvQjdKRQ/wdLCxqfLhqH4Hy999U9+9Se:s8/Gd2b7t2bUj+PupcL8NDvQjdKRQ/w+ |
MD5: | 20AD44DD652373FBD5F64FD80C47C8A9 |
SHA1: | 9C96BF242D7AA679D0A21689AF6FD90E50536BE5 |
SHA-256: | 4BA1F0C64CECF93C4DDDC45066222B59CAF83B727DE7D51466B69D58011A0697 |
SHA-512: | 12651F5114DD4056049CBFF2AAA11FDB5A4D232AB3A6373819EE6CB1B11CE3EDE0094C37269DB4D93BCE6BEA9B19C7F9EA651FFAC1734E8E51365EF2B22D388B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 540590 |
Entropy (8bit): | 7.996474385181467 |
Encrypted: | true |
SSDEEP: | 12288:61A0N/OlDQVyjwk1QsKZOoptSnkBUuCVaQJ7y1npzTTG0:65NGlcV2QsUYkiuC/72npzPG0 |
MD5: | B986DAC9A06FA07A44A1FA7A18260ACA |
SHA1: | 67F3C7E14F4358A613BA7AC342B4D4E7449EA175 |
SHA-256: | CA72FA47FD9781C03C6CFCC20BC92603B38605B455956B2194F38E0BD0A5AF22 |
SHA-512: | 0F99A690E1C8D154EEFF0F4AAD37E0E5D3560BD5C3279C85F0EDAF2B2126D738CB32E9CADC7D662CE87499AA9F53F96FCBBD2506A9667AF5C6F365E81DC062A1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3137597 |
Entropy (8bit): | 6.357128447667352 |
Encrypted: | false |
SSDEEP: | 49152:tWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTb8333Hn:3tLutqgwh4NYxtJpkxhGL333H |
MD5: | 6ACB94727498585280E9C07460D586BC |
SHA1: | 8D46A2CDA0E9D328EE320E13671FB57F62CBAE31 |
SHA-256: | 32FD0FEBACD030BC9D15FF6544033322FACD2B2091E3837F5CCC4E3478E5112D |
SHA-512: | 247E69656892A5E53CD5741F287A51D71BC8607F501B881B690643EDA0A178677B1ECDF98EC0AA48250A603C400FB702C44F48CC0D50D9095A0D4E19F4DF652B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 268 |
Entropy (8bit): | 4.195691050065407 |
Encrypted: | false |
SSDEEP: | 6:U4T4h04/7mIC79eIyg471YVoICd+hAhQ9omgP8FFY:Uxn/7Me371rYhAUgP8FFY |
MD5: | C44732B340B1BBA019C8CC78E932880F |
SHA1: | F45DE24D87DA1EC38629056A0766444F9B7DE363 |
SHA-256: | BBB0E2995035C3EED04C3CDF7C935AAC18844505A7508C95A2F3C66772C2DC87 |
SHA-512: | 4181D251658AF4084A8D13824C38CE8A554C99EBB595B77EF74050ED4332C7B970FFCA980EC87ABC0578D2844502DF9EF0B9121EC114FD969C68B0886F8A4DA7 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 200579 |
Entropy (8bit): | 6.506268470787151 |
Encrypted: | false |
SSDEEP: | 3072:VY/TukgOPvop2wozXcsiwSZ1IWJeyP/3GPubNbRDD4:VYrZhw8e1I18v8mDD4 |
MD5: | 704B2DE1C6C7BA5D16B2B548135CEA83 |
SHA1: | 9B9D27C4E2024F66330E9B5BF68271CFD358FA44 |
SHA-256: | 9A7C52A5F843764F1DA02983B7F11D3839EF3C46991D6524C70F356A93223071 |
SHA-512: | E43D5729A89722E5C44E050C1F7AAA2112B13B8F6704D386CF6D27AD373F43DD646DE88CFE2BD0A94AC9EF1DF99EE35B0F120342B40DBA0936A87F5FF4620D28 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 130412 |
Entropy (8bit): | 7.720954227926037 |
Encrypted: | false |
SSDEEP: | 3072:wkVjOwP6HOCbC4ffpVC5zk4HjbXABDLoKdnNJj/TD:wOOwCHOCb/DWA4/Axh/j/v |
MD5: | CE7835CF916B0DCF0F629383A7DC6FE2 |
SHA1: | 482EEEDCAA352F5CF49AAE9ED12D9E32F6A572E7 |
SHA-256: | CA8C4E23FA1021FDEB085CD00ED3906926B5B96A0F557F85838DFB4384E5F8B6 |
SHA-512: | D7EA6B7DD4D5E4CC8B132F35A9E63B5AA6597693A12D86E498115FEF8D3211DAEB7E1D0132D25405FE3C8427158F01B3AACD7959A45127FFF3AE9E6699124929 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 19850752 |
Entropy (8bit): | 6.446730011865548 |
Encrypted: | false |
SSDEEP: | 393216:YXdC7qRxSZSRncIHaPdMhtQz7731jnUvqQgNL:yChrljnUhg |
MD5: | 5E775346C19A96D094D3D23726E969F6 |
SHA1: | 8C67F9716E9176F2705997D70AB1B2BE1282D3B5 |
SHA-256: | 400ACCA53536DE9A5EBBC18F02F0BF21CC6692B5825D2E998DCF043B47AAE20B |
SHA-512: | EAD7BAEC0924B7E188C0A5A03A04B198721DBE2C7169ABBDE3640A9E1D308E5C100421ED815D387C6E26F26E0352B26B0EA48F8CCA1C0FED30CF8320C0D66835 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 186130 |
Entropy (8bit): | 6.346261247780766 |
Encrypted: | false |
SSDEEP: | 3072:FjdyHeyOhXuzwxoBuk2QyP/3GPubNbRDeEAG:Xa2ezwxoBukl8v8mDeEAG |
MD5: | 904AB3BC440D3AECF0BB324CE15D1B5E |
SHA1: | 68261643FF9851A4BA0F8ECE155C23C9CD626848 |
SHA-256: | 9ACC623CE241AF98FBBD5FB0A6C85DC01084556496DCD76CAF04A3A036B528BF |
SHA-512: | C505164D1E154F7DA9FA6214B51ACB35DE17861E53838A61C558E51F1250F82383819C5EE7FFDC44968C76E7236C00975D8DB71D09284F854E1FD5EB0111AE7C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1053 |
Entropy (8bit): | 5.168890085285299 |
Encrypted: | false |
SSDEEP: | 24:ubjEY+Re0Cy6BvnBBWyATJ4YgUbMs4jgO/:uc80CtvBByiY45 |
MD5: | F6B9BC3938DF32C64E9DF5BD0557234F |
SHA1: | 3351FFAEE9E238E2D1DF5D53FB5A37F8B91B391E |
SHA-256: | BE6004A6DAB48079160EB93A5B7FB9E7FDA6C5D3A14144C80E6A189DA4976C0C |
SHA-512: | 3314A03B1EE0C71786CDFDAF7A2CE340DAB774B1621DCF4BE591A299F8F222128F48986152DBA64E0CC0E66B0708919543020EE073141659E137E379FA08C122 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 9577 |
Entropy (8bit): | 3.6940300483268698 |
Encrypted: | false |
SSDEEP: | 192:s8/Gd2b7t2bUj+PupcL8NDvQjdKRQ/wdLCxqfLhqH4Hy999U9+9Se:s8/Gd2b7t2bUj+PupcL8NDvQjdKRQ/w+ |
MD5: | 20AD44DD652373FBD5F64FD80C47C8A9 |
SHA1: | 9C96BF242D7AA679D0A21689AF6FD90E50536BE5 |
SHA-256: | 4BA1F0C64CECF93C4DDDC45066222B59CAF83B727DE7D51466B69D58011A0697 |
SHA-512: | 12651F5114DD4056049CBFF2AAA11FDB5A4D232AB3A6373819EE6CB1B11CE3EDE0094C37269DB4D93BCE6BEA9B19C7F9EA651FFAC1734E8E51365EF2B22D388B |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 22306200 |
Entropy (8bit): | 5.27183443590215 |
Encrypted: | false |
SSDEEP: | 196608:v/X0jtNMzdavNU+UO8fDWiRaV+eV3g9UWdgK1:XX0jtNMzdavqFO8lNyW |
MD5: | E7A5BDC8731E9B230DE492D2D02F65CD |
SHA1: | 847C43A6374D53E9D89EE0D61737DDADFD00FF79 |
SHA-256: | FFE5E10D3DD08FC6F6504409056CE3F4BF0F5AD5913379A5991503AAA2671A44 |
SHA-512: | 0B65947587CA6E72B79B5FED63B480130F371EC7B67D664E9FF43C805A43969D9A1C8E1B4748A8EBDC6FBE2A30D531C3FD3E6D3B7A8726000A96AF46FC11CB2F |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 26030 |
Entropy (8bit): | 5.4897570254264805 |
Encrypted: | false |
SSDEEP: | 768:pW1iLxKk1zBV+82zmRG8gP80l277/ddmoo1oomoohIIVpf:4IV3IzSlg1s77/ddhf |
MD5: | 29CAAD60C827D0AF69E02B918944C3AE |
SHA1: | CFA01E1443CDF79121474351A782D872A741727C |
SHA-256: | 79FA29A261CBD815357678D08FB42F9EAC626AB44C7C4EF4D482BC04768DFE69 |
SHA-512: | CF56E9E57A9FACBE92894D7AD392F2C888DCF205CD19915302559BA67076A41CCB3504E2A083CC8C89BB726C9C781ACE5E4341BF23AD92C802249176CBC744B7 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | modified |
Size (bytes): | 3337 |
Entropy (8bit): | 3.5501403385302197 |
Encrypted: | false |
SSDEEP: | 96:F9AlGNC6Cj0nVbDbCTCHwCH9BbCrCahRCahSMHhTr:/Al4Cj2pnfCxtH1r |
MD5: | A2D63E9A6AB6BAB3F612F6FE4A62721A |
SHA1: | 1B0C683170275E63CC70A2913EF99FFB74A93299 |
SHA-256: | C58D4DA0CED397BFADF5FCB413385EF02014157F507FC1F52AB7660B57748307 |
SHA-512: | 3ADDACE0A01B10B8F7471A3EC6AA514D5B0ABFE4178DE4795CB655C3CA3B19E742F4B3DD85EC15A4271D13F608553BC599885ABA9F38C7FA607CE1659E46C037 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 3137597 |
Entropy (8bit): | 6.357128447667352 |
Encrypted: | false |
SSDEEP: | 49152:tWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTb8333Hn:3tLutqgwh4NYxtJpkxhGL333H |
MD5: | 6ACB94727498585280E9C07460D586BC |
SHA1: | 8D46A2CDA0E9D328EE320E13671FB57F62CBAE31 |
SHA-256: | 32FD0FEBACD030BC9D15FF6544033322FACD2B2091E3837F5CCC4E3478E5112D |
SHA-512: | 247E69656892A5E53CD5741F287A51D71BC8607F501B881B690643EDA0A178677B1ECDF98EC0AA48250A603C400FB702C44F48CC0D50D9095A0D4E19F4DF652B |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1053 |
Entropy (8bit): | 4.607199827506089 |
Encrypted: | false |
SSDEEP: | 24:8mo/2E5+dOE4qzTmmA6nYicdR/HrdR/0UULx4KJ8KJUwqygm:8mo/p5+dOcz26Yicd5rdPKLJVJmyg |
MD5: | BBAC1CF89148689FAD8C800720413E79 |
SHA1: | 3D3F7709A1614DD586302E20B56592E6A51CDCF1 |
SHA-256: | 86F8E8B07121E317A7AD788981DE185679ABFC5E25A7B94653143B6F1FADDCEB |
SHA-512: | BFABADEA143BF2D2B0B99EB05B8A3DA0094E4E522808CBCD130D5DE0D12359BF2D470FBA479BCCC14C489948CEBD643763FB560CE107BD20101F04608CA5C9D6 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 1089 |
Entropy (8bit): | 4.657484306553993 |
Encrypted: | false |
SSDEEP: | 24:8miZEVdOE4qzTll/6AkYiBdR/KDdR/0UULxkJQJUwqygm:8miWVdOczhlpviBdkDdPKOJQJmyg |
MD5: | 4A9FCC368951F4A9433B41A6C930D58E |
SHA1: | 376B2406C2B14A3BB6E04C2C3BB86D03D8946260 |
SHA-256: | B7AEB7CBC65E3A6D230A73E7050B4F5646E185249D57ADAF7B3278E26450569F |
SHA-512: | 89326164C8B5B85CC58D0E9364C20B8A0B05D05B1EDA9ECA963AADA9FFEBFF69E042E5D4E81624492AC69545EB9EBA99F71164529E7A73AF16EAE689DA844374 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 4.720366600008286 |
Encrypted: | false |
SSDEEP: | 96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0 |
MD5: | E4211D6D009757C078A9FAC7FF4F03D4 |
SHA1: | 019CD56BA687D39D12D4B13991C9A42EA6BA03DA |
SHA-256: | 388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 |
SHA-512: | 17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\Desktop\WSNBOfCAfh.exe |
File Type: | |
Category: | modified |
Size (bytes): | 3113472 |
Entropy (8bit): | 6.370560423548419 |
Encrypted: | false |
SSDEEP: | 49152:1WGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTb8333Hp:vtLutqgwh4NYxtJpkxhGL333J |
MD5: | 593E2893150FF847791168B00FB97039 |
SHA1: | 54A8643948BACD7E8B08A83EC2899F1996DFF1D8 |
SHA-256: | 884C27725E4D5067F19B25D94A5BDD11A79CC22C7354A1DA1A1DA85B60CC2906 |
SHA-512: | C2B794307103E8EDF2DA032AE1A02614B08165C5B7BCC65D39C9C18FFA27D5DBE0757D77F29E011F1F49AE7C38259D5E72DB1C03162A5BB2AC466E46DE765D9B |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Program Files (x86)\GU_2024\GU.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1053 |
Entropy (8bit): | 5.168890085285299 |
Encrypted: | false |
SSDEEP: | 24:ubjEY+Re0Cy6BvnBBWyATJ4YgUbMs4jgO/:uc80CtvBByiY45 |
MD5: | F6B9BC3938DF32C64E9DF5BD0557234F |
SHA1: | 3351FFAEE9E238E2D1DF5D53FB5A37F8B91B391E |
SHA-256: | BE6004A6DAB48079160EB93A5B7FB9E7FDA6C5D3A14144C80E6A189DA4976C0C |
SHA-512: | 3314A03B1EE0C71786CDFDAF7A2CE340DAB774B1621DCF4BE591A299F8F222128F48986152DBA64E0CC0E66B0708919543020EE073141659E137E379FA08C122 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.973950722865438 |
TrID: |
|
File name: | WSNBOfCAfh.exe |
File size: | 10'395'772 bytes |
MD5: | bcb8cbe530f4f7be6a3901067961ad14 |
SHA1: | 76c49f0c0e66746201e0598b61d46dd39747cd55 |
SHA256: | e58e25c8aef38a1bc6546aee7a5c94cb534f64d7f4fcfc937a2f5a3ad9191a5f |
SHA512: | b6d0241c40197134ec816e9075f12bcfb248755d87a253ef324af6d7b925c7a148638d310ad64aaad78648fc9eae082b3630803df031f12f6939d69e4c7b5b09 |
SSDEEP: | 196608:OUNocAkIWmbqmrDzp4/dQKATCb2ty4YIuldYnjXuaNoszlVjw8DC1n:zNocA3Wtk6FQSbCY9nDyfjJC1n |
TLSH: | C2A6233FB2A8663ED86F4B320573935099BBBA91A51ACC1E17F4080DCF6A4701E3F655 |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | 9c1673b9f171239f |
Entrypoint: | 0x4b5eec |
Entrypoint Section: | .itext |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | e569e6f445d32ba23766ad67d1e3787f |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFA4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-3Ch], eax |
mov dword ptr [ebp-40h], eax |
mov dword ptr [ebp-5Ch], eax |
mov dword ptr [ebp-30h], eax |
mov dword ptr [ebp-38h], eax |
mov dword ptr [ebp-34h], eax |
mov dword ptr [ebp-2Ch], eax |
mov dword ptr [ebp-28h], eax |
mov dword ptr [ebp-14h], eax |
mov eax, 004B14B8h |
call 00007F7B2957BB45h |
xor eax, eax |
push ebp |
push 004B65E2h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 004B659Eh |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [004BE634h] |
call 00007F7B2961E637h |
call 00007F7B2961E18Ah |
lea edx, dword ptr [ebp-14h] |
xor eax, eax |
call 00007F7B295915E4h |
mov edx, dword ptr [ebp-14h] |
mov eax, 004C1D84h |
call 00007F7B29576737h |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [004C1D84h] |
mov dl, 01h |
mov eax, dword ptr [004238ECh] |
call 00007F7B29592767h |
mov dword ptr [004C1D88h], eax |
xor edx, edx |
push ebp |
push 004B654Ah |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
call 00007F7B2961E6BFh |
mov dword ptr [004C1D90h], eax |
mov eax, dword ptr [004C1D90h] |
cmp dword ptr [eax+0Ch], 01h |
jne 00007F7B296248DAh |
mov eax, dword ptr [004C1D90h] |
mov edx, 00000028h |
call 00007F7B2959305Ch |
mov edx, dword ptr [004C1D90h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xc4000 | 0x9a | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc2000 | 0xfdc | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc7000 | 0x36c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xc6000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc22f4 | 0x254 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0xc3000 | 0x1a4 | .didata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xb39e4 | 0xb3a00 | 43af0a9476ca224d8e8461f1e22c94da | False | 0.34525867693110646 | data | 6.357635049994181 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.itext | 0xb5000 | 0x1688 | 0x1800 | 185e04b9a1f554e31f7f848515dc890c | False | 0.54443359375 | data | 5.971425428435973 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0xb7000 | 0x37a4 | 0x3800 | cab2107c933b696aa5cf0cc6c3fd3980 | False | 0.36097935267857145 | data | 5.048648594372454 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0xbb000 | 0x6de8 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc2000 | 0xfdc | 0x1000 | e7d1635e2624b124cfdce6c360ac21cd | False | 0.3798828125 | data | 5.029087481102678 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didata | 0xc3000 | 0x1a4 | 0x200 | 8ced971d8a7705c98b173e255d8c9aa7 | False | 0.345703125 | data | 2.7509822285969876 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.edata | 0xc4000 | 0x9a | 0x200 | 8d4e1e508031afe235bf121c80fd7d5f | False | 0.2578125 | data | 1.877162954504408 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.tls | 0xc5000 | 0x18 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xc6000 | 0x5d | 0x200 | 8f2f090acd9622c88a6a852e72f94e96 | False | 0.189453125 | data | 1.3838943752217987 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0xc7000 | 0x36c8 | 0x3800 | cd37888a2076e73ef25809258409c917 | False | 0.3031529017857143 | data | 4.195989806242258 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xc7438 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | English | United States | 0.271505376344086 |
RT_STRING | 0xc7720 | 0x360 | data | 0.34375 | ||
RT_STRING | 0xc7a80 | 0x260 | data | 0.3256578947368421 | ||
RT_STRING | 0xc7ce0 | 0x45c | data | 0.4068100358422939 | ||
RT_STRING | 0xc813c | 0x40c | data | 0.3754826254826255 | ||
RT_STRING | 0xc8548 | 0x2d4 | data | 0.39226519337016574 | ||
RT_STRING | 0xc881c | 0xb8 | data | 0.6467391304347826 | ||
RT_STRING | 0xc88d4 | 0x9c | data | 0.6410256410256411 | ||
RT_STRING | 0xc8970 | 0x374 | data | 0.4230769230769231 | ||
RT_STRING | 0xc8ce4 | 0x398 | data | 0.3358695652173913 | ||
RT_STRING | 0xc907c | 0x368 | data | 0.3795871559633027 | ||
RT_STRING | 0xc93e4 | 0x2a4 | data | 0.4275147928994083 | ||
RT_RCDATA | 0xc9688 | 0x10 | data | 1.5 | ||
RT_RCDATA | 0xc9698 | 0x2c4 | data | 0.6384180790960452 | ||
RT_RCDATA | 0xc995c | 0x2c | data | 1.2045454545454546 | ||
RT_GROUP_ICON | 0xc9988 | 0x14 | data | English | United States | 1.2 |
RT_VERSION | 0xc999c | 0x584 | data | English | United States | 0.26062322946175637 |
RT_MANIFEST | 0xc9f20 | 0x7a8 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.3377551020408163 |
DLL | Import |
---|---|
kernel32.dll | GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale |
comctl32.dll | InitCommonControls |
version.dll | GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW |
user32.dll | CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW |
oleaut32.dll | SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate |
netapi32.dll | NetWkstaGetInfo, NetApiBufferFree |
advapi32.dll | ConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW |
Name | Ordinal | Address |
---|---|---|
TMethodImplementationIntercept | 3 | 0x4541a8 |
__dbk_fcall_wrapper | 2 | 0x40d0a0 |
dbkFCallWrapperAddr | 1 | 0x4be63c |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 16:03:19 |
Start date: | 16/04/2024 |
Path: | C:\Users\user\Desktop\WSNBOfCAfh.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 10'395'772 bytes |
MD5 hash: | BCB8CBE530F4F7BE6A3901067961AD14 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 16:03:20 |
Start date: | 16/04/2024 |
Path: | C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 3'113'472 bytes |
MD5 hash: | 593E2893150FF847791168B00FB97039 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 6 |
Start time: | 16:03:42 |
Start date: | 16/04/2024 |
Path: | C:\Program Files (x86)\GU_2024\GU.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc50000 |
File size: | 19'850'752 bytes |
MD5 hash: | 5E775346C19A96D094D3D23726E969F6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
Has exited: | false |
Target ID: | 7 |
Start time: | 16:03:44 |
Start date: | 16/04/2024 |
Path: | C:\Windows\splwow64.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff716130000 |
File size: | 163'840 bytes |
MD5 hash: | 77DE7761B037061C7C112FD3C5B91E73 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Execution Graph
Execution Coverage: | 0.3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 100% |
Total number of Nodes: | 1 |
Total number of Limit Nodes: | 0 |
Graph
Callgraph
Function 00C61A1C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |