Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 2508 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 2019322EA56C5B80294770F6018BDDC1) - schtasks.exe (PID: 5556 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \WinTracke rSP\WinTra ckerSP.exe " /tn "Win TrackerSP HR" /sc HO URLY /rl H IGHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 652 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7164 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \WinTracke rSP\WinTra ckerSP.exe " /tn "Win TrackerSP LG" /sc ON LOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7092 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- WinTrackerSP.exe (PID: 5732 cmdline:
C:\Program Data\WinTr ackerSP\Wi nTrackerSP .exe MD5: 2019322EA56C5B80294770F6018BDDC1)
- WinTrackerSP.exe (PID: 3524 cmdline:
C:\Program Data\WinTr ackerSP\Wi nTrackerSP .exe MD5: 2019322EA56C5B80294770F6018BDDC1)
- ExtreamFanV5.exe (PID: 3752 cmdline:
"C:\Users\ user\AppDa ta\Local\E xtreamFanV 5\ExtreamF anV5.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)
- ExtreamFanV5.exe (PID: 6404 cmdline:
"C:\Users\ user\AppDa ta\Local\E xtreamFanV 5\ExtreamF anV5.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)
- ExtreamFanV5.exe (PID: 3288 cmdline:
"C:\Users\ user\AppDa ta\Local\E xtreamFanV 5\ExtreamF anV5.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)
- ExtreamFanV5.exe (PID: 4112 cmdline:
"C:\Users\ user\AppDa ta\Local\E xtreamFanV 5\ExtreamF anV5.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)
- PowerExpertNT.exe (PID: 5516 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\PowerE xpertNT\Po werExpertN T.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)
- PowerExpertNT.exe (PID: 5480 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\PowerE xpertNT\Po werExpertN T.exe" MD5: 2019322EA56C5B80294770F6018BDDC1)
- cleanup
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Timestamp: | 04/24/24-09:04:58.222569 |
SID: | 2046266 |
Source Port: | 50505 |
Destination Port: | 49704 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-09:04:58.912086 |
SID: | 2049060 |
Source Port: | 49704 |
Destination Port: | 50505 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 04/24/24-09:05:03.048335 |
SID: | 2046269 |
Source Port: | 49704 |
Destination Port: | 50505 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Dropped File: | ||
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | LNK file: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Process created: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 1 Process Injection | 1 Masquerading | 1 Credential API Hooking | 21 Security Software Discovery | Remote Services | 1 Credential API Hooking | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Scheduled Task/Job | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | 21 Registry Run Keys / Startup Folder | 1 DLL Side-Loading | 1 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 21 Registry Run Keys / Startup Folder | 1 DLL Side-Loading | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 11 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
63% | ReversingLabs | Win32.Trojan.Privateloader | ||
74% | Virustotal | Browse | ||
100% | Avira | TR/Redcap.nszjr | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/Redcap.nszjr | ||
100% | Avira | TR/Redcap.nszjr | ||
100% | Avira | TR/Redcap.nszjr | ||
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML | |||
100% | Joe Sandbox ML | |||
63% | ReversingLabs | Win32.Trojan.Privateloader | ||
74% | Virustotal | Browse | ||
63% | ReversingLabs | Win32.Trojan.Privateloader | ||
74% | Virustotal | Browse | ||
63% | ReversingLabs | Win32.Trojan.Privateloader | ||
74% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
5.42.66.10 | unknown | Russian Federation | 39493 | RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1430821 |
Start date and time: | 2024-04-24 09:04:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 37s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 19 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 1 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | MAL |
Classification: | mal100.evad.winEXE@15/8@0/1 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target ExtreamFanV5.exe, PID 6404 because there are no executed function
- Execution Graph export aborted for target PowerExpertNT.exe, PID 5480 because there are no executed function
- Execution Graph export aborted for target WinTrackerSP.exe, PID 5732 because there are no executed function
- Execution Graph export aborted for target file.exe, PID 2508 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
09:04:58 | Task Scheduler | |
09:04:58 | Task Scheduler | |
09:05:01 | Autostart | |
09:05:09 | Autostart | |
09:05:17 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
5.42.66.10 | Get hash | malicious | Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader | Browse |
| |
Get hash | malicious | GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| ||
Get hash | malicious | GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU | Get hash | malicious | Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| |
Get hash | malicious | Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | Glupteba, Mars Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar, zgRAT | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | RedLine | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe | Get hash | malicious | GCleaner, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader | Browse | ||
Get hash | malicious | GCleaner, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader | Browse | |||
Get hash | malicious | Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse | |||
Get hash | malicious | GCleaner, Glupteba, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse | |||
C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe | Get hash | malicious | GCleaner, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader | Browse | ||
Get hash | malicious | GCleaner, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader | Browse | |||
Get hash | malicious | Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse | |||
Get hash | malicious | GCleaner, Glupteba, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse | |||
C:\ProgramData\WinTrackerSP\WinTrackerSP.exe | Get hash | malicious | GCleaner, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader | Browse | ||
Get hash | malicious | GCleaner, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader | Browse | |||
Get hash | malicious | Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT | Browse | |||
Get hash | malicious | GCleaner, Glupteba, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer | Browse |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 5857792 |
Entropy (8bit): | 7.958973990519404 |
Encrypted: | false |
SSDEEP: | 98304:L74FEGugF8FjiE4KUte+1gk7SmxXR3QQbP8PNY8N+EO90ZK:H5Gu86d4xl1gqxfQYA5I7 |
MD5: | 2019322EA56C5B80294770F6018BDDC1 |
SHA1: | 19285ECD68A4D9B957F87502C555DAD437CFEB8F |
SHA-256: | 0823C2F58D094E1C096AE9184ACF0B930DF6DFF97D0CD77728DC3FF07F9C0096 |
SHA-512: | 092B6A5E503DA5057FB569BA439DFF8DEA9C79CE6A036F460543EBBC7EB5DE9BC206F5283C26F9F38E4ED027FB9B99336C199C7446E9E1BB3B973E71E11683E0 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: | |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 5857792 |
Entropy (8bit): | 7.958973990519404 |
Encrypted: | false |
SSDEEP: | 98304:L74FEGugF8FjiE4KUte+1gk7SmxXR3QQbP8PNY8N+EO90ZK:H5Gu86d4xl1gqxfQYA5I7 |
MD5: | 2019322EA56C5B80294770F6018BDDC1 |
SHA1: | 19285ECD68A4D9B957F87502C555DAD437CFEB8F |
SHA-256: | 0823C2F58D094E1C096AE9184ACF0B930DF6DFF97D0CD77728DC3FF07F9C0096 |
SHA-512: | 092B6A5E503DA5057FB569BA439DFF8DEA9C79CE6A036F460543EBBC7EB5DE9BC206F5283C26F9F38E4ED027FB9B99336C199C7446E9E1BB3B973E71E11683E0 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: | |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 5857792 |
Entropy (8bit): | 7.958973990519404 |
Encrypted: | false |
SSDEEP: | 98304:L74FEGugF8FjiE4KUte+1gk7SmxXR3QQbP8PNY8N+EO90ZK:H5Gu86d4xl1gqxfQYA5I7 |
MD5: | 2019322EA56C5B80294770F6018BDDC1 |
SHA1: | 19285ECD68A4D9B957F87502C555DAD437CFEB8F |
SHA-256: | 0823C2F58D094E1C096AE9184ACF0B930DF6DFF97D0CD77728DC3FF07F9C0096 |
SHA-512: | 092B6A5E503DA5057FB569BA439DFF8DEA9C79CE6A036F460543EBBC7EB5DE9BC206F5283C26F9F38E4ED027FB9B99336C199C7446E9E1BB3B973E71E11683E0 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: | |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | modified |
Size (bytes): | 77 |
Entropy (8bit): | 4.778431229862073 |
Encrypted: | false |
SSDEEP: | 3:7OoQGlha3FqbYoQGlzVouu+m:rQoGFqJQoZo1 |
MD5: | A2F48548E95FD7DEFDDEEE2C3954AE4F |
SHA1: | 42A6CE0B4F93142B900B6D131400AD328E1A91E6 |
SHA-256: | 2EFF8E0A97F135F84D767E79B61A1BD34AEBE5A5B5C26801286287E621B125A0 |
SHA-512: | E49699DBA070DCABFA638B216201F52354EF1FEB48D3DAE5B0E56B2D7289EDBE642806AEEAFEC7618651937E27109F56439FE9A348C1604B646BF83CD6130398 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk
Download File
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1239 |
Entropy (8bit): | 4.911150372803357 |
Encrypted: | false |
SSDEEP: | 24:8slfb8qJRNgKhCM/IT9NDAkmnYjAW4H4mAd1Xqygm:84QQR+MQT9SX6T1ayg |
MD5: | 3DE9D906466BDC6278D6F3D1F7650C7C |
SHA1: | 136E840E2A180FD3C1074A37C15BEABFEA7C8280 |
SHA-256: | 8CDDA29B4FB1FB4F9622ABA101653F78A1F6E590D5B4442BDDC9EBD73DE20993 |
SHA-512: | 1CF87CCE4A14F1DCD1995B9A6B603A01AEFC8A4CB1C155E3A352C7F87ED15E7A9D4F77B7AB2CE7A30D5DC8D8CF341D754CFEE329826B9600987812C430D0AC16 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.958973990519404 |
TrID: |
|
File name: | file.exe |
File size: | 5'857'792 bytes |
MD5: | 2019322ea56c5b80294770f6018bddc1 |
SHA1: | 19285ecd68a4d9b957f87502c555dad437cfeb8f |
SHA256: | 0823c2f58d094e1c096ae9184acf0b930df6dff97d0cd77728dc3ff07f9c0096 |
SHA512: | 092b6a5e503da5057fb569ba439dff8dea9c79ce6a036f460543ebbc7eb5de9bc206f5283c26f9f38e4ed027fb9b99336c199c7446e9e1bb3b973e71e11683e0 |
SSDEEP: | 98304:L74FEGugF8FjiE4KUte+1gk7SmxXR3QQbP8PNY8N+EO90ZK:H5Gu86d4xl1gqxfQYA5I7 |
TLSH: | F046237353710081D1E5883A56377EE872FB037E8F51B5382AE72DC436A66E8E623953 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............'.....x.......e............@...................................Z...@................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0xc965d6 |
Entrypoint Section: | .vmp1024 |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x660C03D4 [Tue Apr 2 13:10:44 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | b92af7920132d9c164f3fefd70cac1d7 |
Instruction |
---|
push BAA6E76Ah |
call 00007F16B4AE727Eh |
jmp 00007F16B4AEA5D5h |
jmp 00007F16B4C7BEDCh |
inc ecx |
clc |
cmp ebx, 04h |
jmp 00007F16B4A75FADh |
test esp, edx |
not eax |
jmp 00007F16B4B0C377h |
mov dx, word ptr [ebp+00h] |
jmp 00007F16B474A2F2h |
dec ecx |
jmp 00007F16B4B8B91Eh |
add esi, edx |
jmp 00007F16B4C63112h |
push edi |
ret |
jmp edi |
jc 00007F16B4AE4207h |
movzx edx, cl |
dec al |
shld ax, ax, 00000077h |
bts ax, cx |
mov eax, 38E38E39h |
test ecx, 08BA2312h |
cmp cx, 1CEBh |
stc |
mul edx |
shr edx, 1 |
mov ax, dx |
ror eax, 45h |
movzx eax, dl |
bsr dx, dx |
btr edx, FFFFFFA7h |
mov edx, eax |
lea ecx, dword ptr [ecx+00h] |
cmc |
test sp, 67F5h |
add cl, FFFFFFF7h |
clc |
cmc |
sub eax, 01h |
jmp 00007F16B4AE41ACh |
mov eax, dword ptr [ebp+08h] |
pop edi |
jmp 00007F16B4AA79B7h |
inc ecx |
inc ebx |
inc ecx |
neg ebx |
jmp 00007F16B4AAE3B5h |
push edi |
ret |
jmp 00007F16B476087Fh |
inc edx |
jmp 00007F16B4B5CE71h |
jmp edi |
mov word ptr [esi+04h], dx |
cmovnle dx, dx |
mov dx, bp |
bswap dx |
pushfd |
pop dword ptr [esi] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x83aef8 | 0xdc | .vmp1024 |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x950000 | 0x49bb5 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x94f000 | 0x618 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x6ffd88 | 0x20 | .vmp1024 |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x94def0 | 0x40 | .vmp1024 |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x88b000 | 0x80 | .vmp1024 |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6da7b | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x6f000 | 0x17200 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x87000 | 0x2698 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.vmp1024 | 0x8a000 | 0x330e46 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.vmp1024 | 0x3bb000 | 0x5933f0 | 0x593400 | ba6b512b8eafe58512a8ca98144253e1 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0x94f000 | 0x618 | 0x800 | 13badda7649731b81d32422fb18b4a27 | False | 0.4130859375 | data | 3.54613520452289 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x950000 | 0x49bb5 | 0x2200 | b1fb8a707a41cb257d4be4a268724e75 | False | 0.2672334558823529 | data | 3.1598133691010966 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_CURSOR | 0x952178 | 0x134 | data | English | United States | 0.08823529411764706 |
RT_CURSOR | 0x9522ac | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x9523e0 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x952514 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x952648 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x95277c | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x9528b0 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x9529e4 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x952b18 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x952c4c | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x952d80 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x952eb4 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x952fe8 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x95311c | 0xb4 | empty | English | United States | 0 |
RT_CURSOR | 0x9531d0 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x953304 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x953438 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x95356c | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x9536a0 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x9537d4 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x953908 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x953a3c | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x953b70 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x953ca4 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x953dd8 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x953f0c | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x954040 | 0x134 | empty | English | United States | 0 |
RT_CURSOR | 0x954174 | 0x134 | empty | English | United States | 0 |
RT_BITMAP | 0x9542a8 | 0x189ea | empty | English | United States | 0 |
RT_BITMAP | 0x96cc94 | 0x62c | empty | English | United States | 0 |
RT_BITMAP | 0x96d2c0 | 0xe8 | empty | English | United States | 0 |
RT_BITMAP | 0x96d3a8 | 0x4a0 | empty | English | United States | 0 |
RT_BITMAP | 0x96d848 | 0x197a | empty | English | United States | 0 |
RT_BITMAP | 0x96f1c4 | 0xc8 | empty | English | United States | 0 |
RT_BITMAP | 0x96f28c | 0xc8 | empty | English | United States | 0 |
RT_BITMAP | 0x96f354 | 0xc8 | empty | English | United States | 0 |
RT_BITMAP | 0x96f41c | 0xc8 | empty | English | United States | 0 |
RT_BITMAP | 0x96f4e4 | 0x182a | empty | English | United States | 0 |
RT_BITMAP | 0x970d10 | 0x468 | empty | English | United States | 0 |
RT_BITMAP | 0x971178 | 0x528 | empty | English | United States | 0 |
RT_BITMAP | 0x9716a0 | 0x528 | empty | English | United States | 0 |
RT_BITMAP | 0x971bc8 | 0x158 | empty | English | United States | 0 |
RT_BITMAP | 0x971d20 | 0x188 | empty | English | United States | 0 |
RT_BITMAP | 0x971ea8 | 0x1e8 | empty | English | United States | 0 |
RT_BITMAP | 0x972090 | 0xad2 | empty | English | United States | 0 |
RT_BITMAP | 0x972b64 | 0xad2 | empty | English | United States | 0 |
RT_BITMAP | 0x973638 | 0xb0a | empty | English | United States | 0 |
RT_BITMAP | 0x974144 | 0x7e2 | empty | English | United States | 0 |
RT_BITMAP | 0x974928 | 0xb0a | empty | English | United States | 0 |
RT_BITMAP | 0x975434 | 0x134 | empty | English | United States | 0 |
RT_BITMAP | 0x975568 | 0x928 | empty | English | United States | 0 |
RT_BITMAP | 0x975e90 | 0x32a | empty | English | United States | 0 |
RT_BITMAP | 0x9761bc | 0x32a | empty | English | United States | 0 |
RT_BITMAP | 0x9764e8 | 0xc2a | empty | English | United States | 0 |
RT_BITMAP | 0x977114 | 0x20a | empty | English | United States | 0 |
RT_BITMAP | 0x977320 | 0x20a | empty | English | United States | 0 |
RT_BITMAP | 0x97752c | 0x20a | empty | English | United States | 0 |
RT_BITMAP | 0x977738 | 0x20a | empty | English | United States | 0 |
RT_BITMAP | 0x977944 | 0x32a | empty | English | United States | 0 |
RT_BITMAP | 0x977c70 | 0x2256 | empty | English | United States | 0 |
RT_BITMAP | 0x979ec8 | 0x602a | empty | English | United States | 0 |
RT_BITMAP | 0x97fef4 | 0x2028 | empty | English | United States | 0 |
RT_BITMAP | 0x981f1c | 0x13da | empty | English | United States | 0 |
RT_BITMAP | 0x9832f8 | 0x13da | empty | English | United States | 0 |
RT_BITMAP | 0x9846d4 | 0x13da | empty | English | United States | 0 |
RT_BITMAP | 0x985ab0 | 0xeb2 | empty | English | United States | 0 |
RT_BITMAP | 0x986964 | 0x13da | empty | English | United States | 0 |
RT_BITMAP | 0x987d40 | 0x13da | empty | English | United States | 0 |
RT_BITMAP | 0x98911c | 0x13da | empty | English | United States | 0 |
RT_BITMAP | 0x98a4f8 | 0x13da | empty | English | United States | 0 |
RT_BITMAP | 0x98b8d4 | 0xeb2 | empty | English | United States | 0 |
RT_BITMAP | 0x98c788 | 0x13da | empty | English | United States | 0 |
RT_BITMAP | 0x98db64 | 0x5a66 | empty | English | United States | 0 |
RT_BITMAP | 0x9935cc | 0xb8 | empty | English | United States | 0 |
RT_BITMAP | 0x993684 | 0x144 | empty | English | United States | 0 |
RT_MENU | 0x9937c8 | 0x11c | empty | English | United States | 0 |
RT_DIALOG | 0x9938e4 | 0x144 | empty | English | United States | 0 |
RT_DIALOG | 0x993a28 | 0x1f6 | empty | English | United States | 0 |
RT_DIALOG | 0x993c20 | 0x13c | empty | English | United States | 0 |
RT_DIALOG | 0x993d5c | 0x1a4 | empty | English | United States | 0 |
RT_DIALOG | 0x993f00 | 0xe6 | empty | English | United States | 0 |
RT_DIALOG | 0x993fe8 | 0x390 | empty | English | United States | 0 |
RT_DIALOG | 0x994378 | 0x21c | empty | English | United States | 0 |
RT_DIALOG | 0x994594 | 0x390 | empty | English | United States | 0 |
RT_DIALOG | 0x994924 | 0x1dc | empty | English | United States | 0 |
RT_DIALOG | 0x994b00 | 0x346 | empty | English | United States | 0 |
RT_DIALOG | 0x994e48 | 0x334 | empty | English | United States | 0 |
RT_DIALOG | 0x99517c | 0x58 | empty | English | United States | 0 |
RT_DIALOG | 0x9951d4 | 0x23c | empty | English | United States | 0 |
RT_DIALOG | 0x995410 | 0x1c2 | empty | English | United States | 0 |
RT_DIALOG | 0x9955d4 | 0x160 | empty | English | United States | 0 |
RT_DIALOG | 0x995734 | 0xb2 | empty | English | United States | 0 |
RT_DIALOG | 0x9957e8 | 0x3d4 | empty | English | United States | 0 |
RT_DIALOG | 0x995bbc | 0x19e | empty | English | United States | 0 |
RT_DIALOG | 0x995d5c | 0x1a2 | empty | English | United States | 0 |
RT_DIALOG | 0x995f00 | 0x34 | empty | English | United States | 0 |
RT_DIALOG | 0x995f34 | 0x2a8 | empty | English | United States | 0 |
RT_DIALOG | 0x9961dc | 0x382 | empty | English | United States | 0 |
RT_DIALOG | 0x996560 | 0xe8 | empty | English | United States | 0 |
RT_DIALOG | 0x996648 | 0x34 | empty | English | United States | 0 |
RT_STRING | 0x99667c | 0x4c | empty | English | United States | 0 |
RT_STRING | 0x9966c8 | 0x32c | empty | English | United States | 0 |
RT_STRING | 0x9969f4 | 0x248 | empty | English | United States | 0 |
RT_STRING | 0x996c3c | 0x84 | empty | English | United States | 0 |
RT_STRING | 0x996cc0 | 0x2a8 | empty | English | United States | 0 |
RT_STRING | 0x996f68 | 0x20e | empty | English | United States | 0 |
RT_STRING | 0x997178 | 0x24c | empty | English | United States | 0 |
RT_STRING | 0x9973c4 | 0x3c | empty | English | United States | 0 |
RT_STRING | 0x997400 | 0x16e | empty | English | United States | 0 |
RT_STRING | 0x997570 | 0xa6 | empty | English | United States | 0 |
RT_STRING | 0x997618 | 0x184 | empty | English | United States | 0 |
RT_STRING | 0x99779c | 0x66 | empty | English | United States | 0 |
RT_STRING | 0x997804 | 0x1d6 | empty | English | United States | 0 |
RT_STRING | 0x9979dc | 0x186 | empty | English | United States | 0 |
RT_STRING | 0x997b64 | 0xb2 | empty | English | United States | 0 |
RT_STRING | 0x997c18 | 0x48 | empty | English | United States | 0 |
RT_STRING | 0x997c60 | 0x18c | empty | English | United States | 0 |
RT_STRING | 0x997dec | 0x82 | empty | English | United States | 0 |
RT_STRING | 0x997e70 | 0x2a | empty | English | United States | 0 |
RT_STRING | 0x997e9c | 0x184 | empty | English | United States | 0 |
RT_STRING | 0x998020 | 0x4ee | empty | English | United States | 0 |
RT_STRING | 0x998510 | 0x264 | empty | English | United States | 0 |
RT_STRING | 0x998774 | 0x2da | empty | English | United States | 0 |
RT_STRING | 0x998a50 | 0x8a | empty | English | United States | 0 |
RT_STRING | 0x998adc | 0xac | empty | English | United States | 0 |
RT_STRING | 0x998b88 | 0xde | empty | English | United States | 0 |
RT_STRING | 0x998c68 | 0x4a8 | empty | English | United States | 0 |
RT_STRING | 0x999110 | 0x228 | empty | English | United States | 0 |
RT_STRING | 0x999338 | 0x2c | empty | English | United States | 0 |
RT_STRING | 0x999364 | 0x53e | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x9998a4 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x9998b8 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x9998cc | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x9998e0 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x9998f4 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999908 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x99991c | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999930 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999944 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999958 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x99996c | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999980 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999994 | 0x22 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x9999b8 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x9999cc | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x9999e0 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x9999f4 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999a08 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999a1c | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999a30 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999a44 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999a58 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999a6c | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999a80 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999a94 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999aa8 | 0x14 | empty | English | United States | 0 |
RT_GROUP_CURSOR | 0x999abc | 0x14 | empty | English | United States | 0 |
RT_MANIFEST | 0x951ea0 | 0x2d5 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5020689655172413 |
None | 0x999ad0 | 0xe5 | empty | English | United States | 0 |
DLL | Import |
---|---|
KERNEL32.dll | Sleep |
ADVAPI32.dll | GetUserNameA |
SHELL32.dll | ShellExecuteA |
ole32.dll | CoCreateInstance |
WS2_32.dll | send |
WTSAPI32.dll | WTSSendMessageW |
KERNEL32.dll | VirtualQuery |
USER32.dll | GetProcessWindowStation |
KERNEL32.dll | LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress |
USER32.dll | GetProcessWindowStation, GetUserObjectInformationW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
04/24/24-09:04:58.222569 | TCP | 2046266 | ET TROJAN [ANY.RUN] RisePro TCP (Token) | 50505 | 49704 | 5.42.66.10 | 192.168.2.5 |
04/24/24-09:04:58.912086 | TCP | 2049060 | ET TROJAN RisePro TCP Heartbeat Packet | 49704 | 50505 | 192.168.2.5 | 5.42.66.10 |
04/24/24-09:05:03.048335 | TCP | 2046269 | ET TROJAN [ANY.RUN] RisePro TCP (Activity) | 49704 | 50505 | 192.168.2.5 | 5.42.66.10 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 24, 2024 09:04:57.560302973 CEST | 49704 | 50505 | 192.168.2.5 | 5.42.66.10 |
Apr 24, 2024 09:04:57.891004086 CEST | 50505 | 49704 | 5.42.66.10 | 192.168.2.5 |
Apr 24, 2024 09:04:57.891220093 CEST | 49704 | 50505 | 192.168.2.5 | 5.42.66.10 |
Apr 24, 2024 09:04:58.222568989 CEST | 50505 | 49704 | 5.42.66.10 | 192.168.2.5 |
Apr 24, 2024 09:04:58.266952038 CEST | 49704 | 50505 | 192.168.2.5 | 5.42.66.10 |
Apr 24, 2024 09:04:58.912086010 CEST | 49704 | 50505 | 192.168.2.5 | 5.42.66.10 |
Apr 24, 2024 09:04:59.286880016 CEST | 50505 | 49704 | 5.42.66.10 | 192.168.2.5 |
Apr 24, 2024 09:04:59.329447031 CEST | 49704 | 50505 | 192.168.2.5 | 5.42.66.10 |
Apr 24, 2024 09:04:59.584568977 CEST | 49704 | 50505 | 192.168.2.5 | 5.42.66.10 |
Apr 24, 2024 09:04:59.915158987 CEST | 50505 | 49704 | 5.42.66.10 | 192.168.2.5 |
Apr 24, 2024 09:04:59.970065117 CEST | 49704 | 50505 | 192.168.2.5 | 5.42.66.10 |
Apr 24, 2024 09:05:03.048335075 CEST | 49704 | 50505 | 192.168.2.5 | 5.42.66.10 |
Apr 24, 2024 09:05:03.379144907 CEST | 50505 | 49704 | 5.42.66.10 | 192.168.2.5 |
Apr 24, 2024 09:05:03.423161983 CEST | 49704 | 50505 | 192.168.2.5 | 5.42.66.10 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 09:04:55 |
Start date: | 24/04/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xea0000 |
File size: | 5'857'792 bytes |
MD5 hash: | 2019322EA56C5B80294770F6018BDDC1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 2 |
Start time: | 09:04:57 |
Start date: | 24/04/2024 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd30000 |
File size: | 187'904 bytes |
MD5 hash: | 48C2FE20575769DE916F48EF0676A965 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 09:04:57 |
Start date: | 24/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 09:04:57 |
Start date: | 24/04/2024 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd30000 |
File size: | 187'904 bytes |
MD5 hash: | 48C2FE20575769DE916F48EF0676A965 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 09:04:57 |
Start date: | 24/04/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 09:04:58 |
Start date: | 24/04/2024 |
Path: | C:\ProgramData\WinTrackerSP\WinTrackerSP.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd70000 |
File size: | 5'857'792 bytes |
MD5 hash: | 2019322EA56C5B80294770F6018BDDC1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 7 |
Start time: | 09:04:59 |
Start date: | 24/04/2024 |
Path: | C:\ProgramData\WinTrackerSP\WinTrackerSP.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd70000 |
File size: | 5'857'792 bytes |
MD5 hash: | 2019322EA56C5B80294770F6018BDDC1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 8 |
Start time: | 09:05:09 |
Start date: | 24/04/2024 |
Path: | C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x1a0000 |
File size: | 5'857'792 bytes |
MD5 hash: | 2019322EA56C5B80294770F6018BDDC1 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 11 |
Start time: | 09:05:10 |
Start date: | 24/04/2024 |
Path: | C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1a0000 |
File size: | 5'857'792 bytes |
MD5 hash: | 2019322EA56C5B80294770F6018BDDC1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 13 |
Start time: | 09:05:17 |
Start date: | 24/04/2024 |
Path: | C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x1a0000 |
File size: | 5'857'792 bytes |
MD5 hash: | 2019322EA56C5B80294770F6018BDDC1 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 15 |
Start time: | 09:05:18 |
Start date: | 24/04/2024 |
Path: | C:\Users\user\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1a0000 |
File size: | 5'857'792 bytes |
MD5 hash: | 2019322EA56C5B80294770F6018BDDC1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 16 |
Start time: | 09:05:25 |
Start date: | 24/04/2024 |
Path: | C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4c0000 |
File size: | 5'857'792 bytes |
MD5 hash: | 2019322EA56C5B80294770F6018BDDC1 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 18 |
Start time: | 09:05:26 |
Start date: | 24/04/2024 |
Path: | C:\Users\user\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x4c0000 |
File size: | 5'857'792 bytes |
MD5 hash: | 2019322EA56C5B80294770F6018BDDC1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Function 00EAC790 Relevance: 2.5, Strings: 2, Instructions: 30COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00EADAB0 Relevance: .0, Instructions: 41COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00EAC7F0 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |