Edit tour
Windows
Analysis Report
HT4YGXBRtx.exe
Overview
General Information
| Sample name: | HT4YGXBRtx.exerenamed because original name is a hash value |
| Original sample name: | e9b6e8ea2ee0c97ed47b022a1b3d433c9fc7b7585dcebe7b52a2254fb68a72af.exe |
| Analysis ID: | 1631788 |
| MD5: | 6c22541a5ead0ca30ee07fee745d5eda |
| SHA1: | 227d7f8c7af279d2a9bc0cfeeef8ef3b12a33779 |
| SHA256: | e9b6e8ea2ee0c97ed47b022a1b3d433c9fc7b7585dcebe7b52a2254fb68a72af |
| Tags: | exeuser-adrian__luca |
| Infos: |  |
 | |
Detection
Snake Keylogger
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Binary is likely a compiled AutoIt script file
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
HT4YGXBRtx.exe (PID: 6616 cmdline: "C:\Users\ user\Deskt op\HT4YGXB Rtx.exe" MD5: 6C22541A5EAD0CA30EE07FEE745D5EDA) 
RegSvcs.exe (PID: 6836 cmdline: "C:\Users\ user\Deskt op\HT4YGXB Rtx.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) 
cmd.exe (PID: 1492 cmdline: "C:\Window s\System32 \cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Wi ndows\Micr osoft.NET\ Framework\ v4.0.30319 \RegSvcs.e xe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6500 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - choice.exe (PID: 6116 cmdline:
choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| 404 Keylogger, Snake Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. | No Attribution |
{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7628028410:AAEpbCbHTWOy3r7fqeLD67OvGFoUK2pQiBw/sendMessage?chat_id=7337843299", "Token": "7628028410:AAEpbCbHTWOy3r7fqeLD67OvGFoUK2pQiBw", "Chat_id": "7337843299", "Version": "5.1"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| MALWARE_Win_SnakeKeylogger | Detects Snake Keylogger | ditekSHen |
| |
| JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
| Click to see the 15 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
| JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| Click to see the 13 entries | ||||
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-07T15:54:23.909929+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.7 | 49683 | 104.21.64.1 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-07T15:54:18.997293+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49681 | 132.226.247.73 | 80 | TCP |
| 2025-03-07T15:54:21.872338+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49681 | 132.226.247.73 | 80 | TCP |
| 2025-03-07T15:54:24.684955+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49684 | 132.226.247.73 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00FA445A | |
| Source: | Code function: | 0_2_00FAC6D1 | |
| Source: | Code function: | 0_2_00FAC75C | |
| Source: | Code function: | 0_2_00FAEF95 | |
| Source: | Code function: | 0_2_00FAF0F2 | |
| Source: | Code function: | 0_2_00FAF3F3 | |
| Source: | Code function: | 0_2_00FA37EF | |
| Source: | Code function: | 0_2_00FA3B12 | |
| Source: | Code function: | 0_2_00FABCBC | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00FB22EE | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Code function: | 0_2_00FB4164 | |
| Source: | Code function: | 0_2_00FB4164 | |
| Source: | Code function: | 0_2_00FB3F66 | |
| Source: | Code function: | 0_2_00FA001C | |
| Source: | Code function: | 0_2_00FCCABC | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00F43B3A | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | memstr_95dc7109-3 | |
| Source: | String found in binary or memory: | memstr_8dfa0fa4-4 | |
| Source: | String found in binary or memory: | memstr_4de997dd-a | |
| Source: | String found in binary or memory: | memstr_f2fba3eb-6 | |
| Source: | Code function: | 0_2_00FAA1EF | |
| Source: | Code function: | 0_2_00F98310 | |
| Source: | Code function: | 0_2_00FA51BD | |
| Source: | Code function: | 0_2_00F4E6A0 | |
| Source: | Code function: | 0_2_00F6D975 | |
| Source: | Code function: | 0_2_00F4FCE0 | |
| Source: | Code function: | 0_2_00F621C5 | |
| Source: | Code function: | 0_2_00F762D2 | |
| Source: | Code function: | 0_2_00FC03DA | |
| Source: | Code function: | 0_2_00F7242E | |
| Source: | Code function: | 0_2_00F625FA | |
| Source: | Code function: | 0_2_00F566E1 | |
| Source: | Code function: | 0_2_00F9E616 | |
| Source: | Code function: | 0_2_00F7878F | |
| Source: | Code function: | 0_2_00FA8889 | |
| Source: | Code function: | 0_2_00FC0857 | |
| Source: | Code function: | 0_2_00F76844 | |
| Source: | Code function: | 0_2_00F58808 | |
| Source: | Code function: | 0_2_00F6CB21 | |
| Source: | Code function: | 0_2_00F76DB6 | |
| Source: | Code function: | 0_2_00F56F9E | |
| Source: | Code function: | 0_2_00F53030 | |
| Source: | Code function: | 0_2_00F6F1D9 | |
| Source: | Code function: | 0_2_00F63187 | |
| Source: | Code function: | 0_2_00F41287 | |
| Source: | Code function: | 0_2_00F61484 | |
| Source: | Code function: | 0_2_00F55520 | |
| Source: | Code function: | 0_2_00F67696 | |
| Source: | Code function: | 0_2_00F55760 | |
| Source: | Code function: | 0_2_00F61978 | |
| Source: | Code function: | 0_2_00F79AB5 | |
| Source: | Code function: | 0_2_00FC7DDB | |
| Source: | Code function: | 0_2_00F6BDA6 | |
| Source: | Code function: | 0_2_00F61D90 | |
| Source: | Code function: | 0_2_00F53FE0 | |
| Source: | Code function: | 0_2_00F4DF00 | |
| Source: | Code function: | 0_2_00A43670 | |
| Source: | Code function: | 1_2_02E9B328 | |
| Source: | Code function: | 1_2_02E9C190 | |
| Source: | Code function: | 1_2_02E96108 | |
| Source: | Code function: | 1_2_02E9C751 | |
| Source: | Code function: | 1_2_02E9C470 | |
| Source: | Code function: | 1_2_02E94AD9 | |
| Source: | Code function: | 1_2_02E9CA31 | |
| Source: | Code function: | 1_2_02E9BBD3 | |
| Source: | Code function: | 1_2_02E96880 | |
| Source: | Code function: | 1_2_02E99858 | |
| Source: | Code function: | 1_2_02E9BEB0 | |
| Source: | Code function: | 1_2_02E9B4F3 | |
| Source: | Code function: | 1_2_02E93570 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Base64 encoded string: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00FAA06A | |
| Source: | Code function: | 0_2_00F981CB | |
| Source: | Code function: | 0_2_00F987E1 | |
| Source: | Code function: | 0_2_00FAB3FB | |
| Source: | Code function: | 0_2_00FBEE0D | |
| Source: | Code function: | 0_2_00FB83BB | |
| Source: | Code function: | 0_2_00F44E89 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00F44B37 | |
| Source: | Code function: | 0_2_00F68958 | |
| Source: | Code function: | 0_2_00F448D7 | |
| Source: | Code function: | 0_2_00FC5376 | |
| Source: | Code function: | 0_2_00F63187 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00FA445A | |
| Source: | Code function: | 0_2_00FAC6D1 | |
| Source: | Code function: | 0_2_00FAC75C | |
| Source: | Code function: | 0_2_00FAEF95 | |
| Source: | Code function: | 0_2_00FAF0F2 | |
| Source: | Code function: | 0_2_00FAF3F3 | |
| Source: | Code function: | 0_2_00FA37EF | |
| Source: | Code function: | 0_2_00FA3B12 | |
| Source: | Code function: | 0_2_00FABCBC | |
| Source: | Code function: | 0_2_00F449A0 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-104826 | ||
| Source: | Code function: | 0_2_00FB3F09 | |
| Source: | Code function: | 0_2_00F43B3A | |
| Source: | Code function: | 0_2_00F75A7C | |
| Source: | Code function: | 0_2_00F44B37 | |
| Source: | Code function: | 0_2_00A43500 | |
| Source: | Code function: | 0_2_00A43560 | |
| Source: | Code function: | 0_2_00A41E70 | |
| Source: | Code function: | 0_2_00F980A9 | |
| Source: | Code function: | 0_2_00F6A155 | |
| Source: | Code function: | 0_2_00F6A124 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 0_2_00F987B1 | |
| Source: | Code function: | 0_2_00F43B3A | |
| Source: | Code function: | 0_2_00F448D7 | |
| Source: | Code function: | 0_2_00FA4C7F | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00F97CAF | |
| Source: | Code function: | 0_2_00F9874B | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00F6862B | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00F74E87 | |
| Source: | Code function: | 0_2_00F81E06 | |
| Source: | Code function: | 0_2_00F73F3A | |
| Source: | Code function: | 0_2_00F449A0 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00FB6283 | |
| Source: | Code function: | 0_2_00FB6747 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 11 Disable or Modify Tools | 21 Input Capture | 2 System Time Discovery | Remote Services | 11 Archive Collected Data | 2 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 2 Valid Accounts | 1 DLL Side-Loading | 11 Deobfuscate/Decode Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 21 Input Capture | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 2 Valid Accounts | 21 Obfuscated Files or Information | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 21 Access Token Manipulation | 1 DLL Side-Loading | NTDS | 126 System Information Discovery | Distributed Component Object Model | Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 212 Process Injection | 1 Masquerading | LSA Secrets | 131 Security Software Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Valid Accounts | Cached Domain Credentials | 11 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 11 Virtualization/Sandbox Evasion | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 21 Access Token Manipulation | Proc Filesystem | 11 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 212 Process Injection | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Network Configuration Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 63% | ReversingLabs | Win32.Trojan.DarkCloud | ||
| 65% | Virustotal | Browse | ||
| 100% | Avira | TR/AD.SnakeStealer.tqqbm |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| reallyfreegeoip.org | 104.21.64.1 | true | false | high | |
| checkip.dyndns.com | 132.226.247.73 | true | false | high | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.64.1 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 132.226.247.73 | checkip.dyndns.com | United States | 16989 | UTMEMUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1631788 |
| Start date and time: | 2025-03-07 15:53:19 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 38s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 14 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | HT4YGXBRtx.exerenamed because original name is a hash value |
| Original Sample Name: | e9b6e8ea2ee0c97ed47b022a1b3d433c9fc7b7585dcebe7b52a2254fb68a72af.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@8/5@2/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.199.214.10
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
- Execution Graph export aborted for target RegSvcs.exe, PID 6836 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
| Time | Type | Description |
|---|---|---|
| 09:54:21 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.64.1 | Get hash | malicious | Lokibot | Browse |
| |
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| 132.226.247.73 | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| reallyfreegeoip.org | Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| checkip.dyndns.com | Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| UTMEMUS | Get hash | malicious | Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| |
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
⊘No context
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1039 |
| Entropy (8bit): | 5.353332853270839 |
| Encrypted: | false |
| SSDEEP: | 24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR |
| MD5: | A4AF0F36EC4E0C69DC0F860C891E8BBE |
| SHA1: | 28DD81A1EDDF71CBCBF86DA986E047279EF097CD |
| SHA-256: | B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE |
| SHA-512: | A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\HT4YGXBRtx.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 16776 |
| Entropy (8bit): | 7.496052840131281 |
| Encrypted: | false |
| SSDEEP: | 384:GrBdiwBCv1mVmrL8qZ6A1oDqUKKNcPrJfkAL0pN:U4dv1ymrI/DoKNcPrn0v |
| MD5: | 6DC2C7DB76873C55EF868A961F692FCC |
| SHA1: | 382B87431D06179FBE1B07920F386AEF12700DCD |
| SHA-256: | D9C5B93FD2A768FB12388945DFBE1FFB405264EADBDE2672764018391B0FCD69 |
| SHA-512: | 26E4A9FC5B1CD648D31C3E78BA217D3AD0E9C15A16924786F0C6118540A2316265966BB4256CC70BAB970FD88DE88769712689F990927267630E9C7874FA3035 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\HT4YGXBRtx.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 94176 |
| Entropy (8bit): | 7.927407946138047 |
| Encrypted: | false |
| SSDEEP: | 1536:21jegkkPSe+rTmnYlg3W0mTKhYLnrjdZOYv+heasRTGf+N6pigx8TngAS:M7VPSemTmf0lTFGIaAMgS8TS |
| MD5: | BE7EC39E2E20A48D0A300C38F068E7D7 |
| SHA1: | 9BCB3DBBE7202409D471B95E73026F30D0FF03F8 |
| SHA-256: | 249EACA4B837DA89EDE8377D1CD601E50FA802D006C34597BBAC6CE57F3850E7 |
| SHA-512: | 0A4998E95165D4E922C6DCEF3A7C010A8016C1953B6454A93CF80AC0212380C515F56C3DFA868876B62846471EF71152F1DCEAD52F8505603C5EC8110A6C2758 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\HT4YGXBRtx.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 296998 |
| Entropy (8bit): | 3.060644820537526 |
| Encrypted: | false |
| SSDEEP: | 12:kRqkJpeIplat42eplZFz6JplhnuRIcycTl7ZTDVVIIeIcNedVp3fRLFjwXjPOad/:N |
| MD5: | 5D57C6CC89D29105BFC79A6CCCD052F8 |
| SHA1: | 349A02D86C9C5EB158D7046F2F8360361F735309 |
| SHA-256: | 32A423F0767C1459B2BF2219287B64085212470C2DD3AD5B752BC635B6340971 |
| SHA-512: | 320755B881AC960EEBD1A997B2A2D9E059ECEF4C21418E0A5B035AB9500011ADFBCA3001C54F9DB41556CDD4D74ACF5CE556D700D23C1ECC2DD5762E927F38CF |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\HT4YGXBRtx.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 133632 |
| Entropy (8bit): | 7.065309988474431 |
| Encrypted: | false |
| SSDEEP: | 1536:NAxwYeJ/jIQRqW9HKnLnNXSQJbNpppSEjMTkDTLT5mY+6l0MKSzkiyeI/3M44cj0:NMyyQRVyKgeiyeIEjGmZJIVU2s39xj |
| MD5: | 83643DDF6072DA4953EAD826196F3233 |
| SHA1: | AEFFB042CEF0C6CB34DD529D93AD136150B80FD1 |
| SHA-256: | DB8F86130ADC455F5AC6125647C4D9A63B4DD9CB9112706CDD4647348B9B15AE |
| SHA-512: | 8E2827085CD9D28D36F060E5E594858CC132EEA2CF5EAD0A29C258A0F2B05AB91849A0972A9AF88EE7389C514AD29F364C4628DF3188432732D63A03E4569B75 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.860043329932603 |
| TrID: |
|
| File name: | HT4YGXBRtx.exe |
| File size: | 972'800 bytes |
| MD5: | 6c22541a5ead0ca30ee07fee745d5eda |
| SHA1: | 227d7f8c7af279d2a9bc0cfeeef8ef3b12a33779 |
| SHA256: | e9b6e8ea2ee0c97ed47b022a1b3d433c9fc7b7585dcebe7b52a2254fb68a72af |
| SHA512: | 6abe98ae65a3536c5d5251f70ddab074dab433bda11c88fac86ec30263d3f638c3afea4f1fbd865d2f3e772a4fe079ddc1ebc1d0a2c00a5f0016478486a2d140 |
| SSDEEP: | 24576:Ku6J33O0c+JY5UZ+XC0kGso6FaFtTyVlEJQbWY:8u0c++OCvkGs9FaFtG3EBY |
| TLSH: | 8925AD2273DEC361CB669133BF29B7016EBF3C614630B95B2F980D7DA950162162D7A3 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}. |
 | |
| Icon Hash: | aaf3e3e3938382a0 |
| Entrypoint: | 0x427dcd |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67ACB332 [Wed Feb 12 14:41:54 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | afcdf79be1557326c854b6e20cb900a7 |
| Instruction |
|---|
| call 00007F95B4B440DAh |
| jmp 00007F95B4B36EA4h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push edi |
| push esi |
| mov esi, dword ptr [esp+10h] |
| mov ecx, dword ptr [esp+14h] |
| mov edi, dword ptr [esp+0Ch] |
| mov eax, ecx |
| mov edx, ecx |
| add eax, esi |
| cmp edi, esi |
| jbe 00007F95B4B3702Ah |
| cmp edi, eax |
| jc 00007F95B4B3738Eh |
| bt dword ptr [004C31FCh], 01h |
| jnc 00007F95B4B37029h |
| rep movsb |
| jmp 00007F95B4B3733Ch |
| cmp ecx, 00000080h |
| jc 00007F95B4B371F4h |
| mov eax, edi |
| xor eax, esi |
| test eax, 0000000Fh |
| jne 00007F95B4B37030h |
| bt dword ptr [004BE324h], 01h |
| jc 00007F95B4B37500h |
| bt dword ptr [004C31FCh], 00000000h |
| jnc 00007F95B4B371CDh |
| test edi, 00000003h |
| jne 00007F95B4B371DEh |
| test esi, 00000003h |
| jne 00007F95B4B371BDh |
| bt edi, 02h |
| jnc 00007F95B4B3702Fh |
| mov eax, dword ptr [esi] |
| sub ecx, 04h |
| lea esi, dword ptr [esi+04h] |
| mov dword ptr [edi], eax |
| lea edi, dword ptr [edi+04h] |
| bt edi, 03h |
| jnc 00007F95B4B37033h |
| movq xmm1, qword ptr [esi] |
| sub ecx, 08h |
| lea esi, dword ptr [esi+08h] |
| movq qword ptr [edi], xmm1 |
| lea edi, dword ptr [edi+08h] |
| test esi, 00000007h |
| je 00007F95B4B37085h |
| bt esi, 03h |
| jnc 00007F95B4B370D8h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xba44c | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc7000 | 0x24e14 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xec000 | 0x711c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x92bc0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa4870 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8f000 | 0x884 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x8dcc4 | 0x8de00 | d28a820a1d9ff26cda02d12b888ba4b4 | False | 0.5728679102422908 | data | 6.676118058520316 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8f000 | 0x2e10e | 0x2e200 | 79b14b254506b0dbc8cd0ad67fb70ad9 | False | 0.33535526761517614 | OpenPGP Public Key | 5.76010872795207 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xbe000 | 0x8f74 | 0x5200 | 9f9d6f746f1a415a63de45f8b7983d33 | False | 0.1017530487804878 | data | 1.198745897703538 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xc7000 | 0x24e14 | 0x25000 | ff91bc8374ddd95167a6583ba3e1e474 | False | 0.8201673353040541 | data | 7.602696921745735 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xec000 | 0x711c | 0x7200 | 6fcae3cbbf6bfbabf5ec5bbe7cf612c3 | False | 0.7650767543859649 | data | 6.779031650454199 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xc75a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xc76d0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xc77f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xc7920 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.3333333333333333 |
| RT_ICON | 0xc7c08 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.5 |
| RT_ICON | 0xc7d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2835820895522388 |
| RT_ICON | 0xc8bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.37906137184115524 |
| RT_ICON | 0xc9480 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.23699421965317918 |
| RT_ICON | 0xc99e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.13858921161825727 |
| RT_ICON | 0xcbf90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.25070356472795496 |
| RT_ICON | 0xcd038 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.3173758865248227 |
| RT_MENU | 0xcd4a0 | 0x50 | data | English | Great Britain | 0.9 |
| RT_STRING | 0xcd4f0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0xcda84 | 0x68a | data | English | Great Britain | 0.2747909199522103 |
| RT_STRING | 0xce110 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0xce5a0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xceb9c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xcf1f8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0xcf660 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0xcf7b8 | 0x1c0da | data | 1.0004003272239919 | ||
| RT_GROUP_ICON | 0xeb894 | 0x76 | data | English | Great Britain | 0.6610169491525424 |
| RT_GROUP_ICON | 0xeb90c | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0xeb920 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0xeb934 | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0xeb948 | 0xdc | data | English | Great Britain | 0.6181818181818182 |
| RT_MANIFEST | 0xeba24 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
| DLL | Import |
|---|---|
| WSOCK32.dll | WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect |
| VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
| MPR.dll | WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W |
| WININET.dll | InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW |
| PSAPI.DLL | GetProcessMemoryInfo |
| IPHLPAPI.DLL | IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho |
| USERENV.dll | DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW |
| UxTheme.dll | IsThemeActive |
| KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA |
| USER32.dll | AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW |
| GDI32.dll | StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath |
| COMDLG32.dll | GetOpenFileNameW, GetSaveFileNameW |
| ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW |
| SHELL32.dll | DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity |
| OLEAUT32.dll | LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit |
| Description | Data |
|---|---|
| Translation | 0x0809 0x04b0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-07T15:54:18.997293+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.7 | 49681 | 132.226.247.73 | 80 | TCP |
| 2025-03-07T15:54:21.872338+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.7 | 49681 | 132.226.247.73 | 80 | TCP |
| 2025-03-07T15:54:23.909929+0100 | 2803305 | ETPRO MALWARE Common Downloader Header Pattern H | 3 | 192.168.2.7 | 49683 | 104.21.64.1 | 443 | TCP |
| 2025-03-07T15:54:24.684955+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.7 | 49684 | 132.226.247.73 | 80 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 7, 2025 15:54:18.022691965 CET | 49681 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:18.027942896 CET | 80 | 49681 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:18.028021097 CET | 49681 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:18.028352022 CET | 49681 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:18.033345938 CET | 80 | 49681 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:18.727929115 CET | 80 | 49681 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:18.735768080 CET | 49681 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:18.740987062 CET | 80 | 49681 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:18.945441008 CET | 80 | 49681 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:18.997292995 CET | 49681 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:19.008768082 CET | 49682 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:19.008817911 CET | 443 | 49682 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:19.008908033 CET | 49682 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:19.020752907 CET | 49682 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:19.020785093 CET | 443 | 49682 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:20.672631025 CET | 443 | 49682 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:20.672708035 CET | 49682 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:20.686599970 CET | 49682 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:20.686633110 CET | 443 | 49682 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:20.687000036 CET | 443 | 49682 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:20.731688976 CET | 49682 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:20.751705885 CET | 49682 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:20.792326927 CET | 443 | 49682 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:21.604089975 CET | 443 | 49682 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:21.604252100 CET | 443 | 49682 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:21.604343891 CET | 49682 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:21.612263918 CET | 49682 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:21.615669966 CET | 49681 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:21.621614933 CET | 80 | 49681 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:21.825989008 CET | 80 | 49681 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:21.831584930 CET | 49683 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:21.831688881 CET | 443 | 49683 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:21.831799984 CET | 49683 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:21.832086086 CET | 49683 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:21.832123041 CET | 443 | 49683 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:21.872338057 CET | 49681 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:23.429605961 CET | 443 | 49683 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:23.432125092 CET | 49683 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:23.432174921 CET | 443 | 49683 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:23.909970999 CET | 443 | 49683 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:23.910057068 CET | 443 | 49683 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:23.910116911 CET | 49683 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:23.910522938 CET | 49683 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:23.913656950 CET | 49681 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:23.914884090 CET | 49684 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:23.919023037 CET | 80 | 49681 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:23.919094086 CET | 49681 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:23.920208931 CET | 80 | 49684 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:23.920279980 CET | 49684 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:23.920363903 CET | 49684 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:23.925426006 CET | 80 | 49684 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:24.635401964 CET | 80 | 49684 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:24.636828899 CET | 49685 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:24.636878967 CET | 443 | 49685 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:24.636974096 CET | 49685 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:24.637289047 CET | 49685 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:24.637305021 CET | 443 | 49685 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:24.684954882 CET | 49684 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:26.358549118 CET | 443 | 49685 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:26.362179041 CET | 49685 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:26.362215996 CET | 443 | 49685 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:26.872733116 CET | 443 | 49685 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:26.872819901 CET | 443 | 49685 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:26.872971058 CET | 49685 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:26.873480082 CET | 49685 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:26.878642082 CET | 49686 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:26.883763075 CET | 80 | 49686 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:26.883883953 CET | 49686 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:26.883949995 CET | 49686 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:26.888925076 CET | 80 | 49686 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:27.584841967 CET | 80 | 49686 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:27.586425066 CET | 49687 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:27.586477995 CET | 443 | 49687 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:27.586553097 CET | 49687 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:27.586798906 CET | 49687 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:27.586816072 CET | 443 | 49687 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:27.637986898 CET | 49686 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:29.341577053 CET | 443 | 49687 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:29.343466997 CET | 49687 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:29.343501091 CET | 443 | 49687 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:29.837810993 CET | 443 | 49687 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:29.838009119 CET | 443 | 49687 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:29.838200092 CET | 49687 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:29.838432074 CET | 49687 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:29.842405081 CET | 49686 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:29.843038082 CET | 49688 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:29.847580910 CET | 80 | 49686 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:29.847676992 CET | 49686 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:29.848083973 CET | 80 | 49688 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:29.848159075 CET | 49688 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:29.852895975 CET | 49688 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:29.857896090 CET | 80 | 49688 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:30.547513008 CET | 80 | 49688 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:30.549138069 CET | 49689 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:30.549200058 CET | 443 | 49689 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:30.549266100 CET | 49689 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:30.549563885 CET | 49689 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:30.549583912 CET | 443 | 49689 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:30.591093063 CET | 49688 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:32.408379078 CET | 443 | 49689 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:32.410092115 CET | 49689 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:32.410126925 CET | 443 | 49689 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:32.894138098 CET | 443 | 49689 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:32.894292116 CET | 443 | 49689 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:32.894354105 CET | 49689 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:32.894686937 CET | 49689 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:32.898143053 CET | 49688 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:32.899389029 CET | 49690 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:32.903548002 CET | 80 | 49688 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:32.903629065 CET | 49688 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:32.904455900 CET | 80 | 49690 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:32.904541969 CET | 49690 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:32.904702902 CET | 49690 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:32.909694910 CET | 80 | 49690 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:33.600992918 CET | 80 | 49690 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:33.602514982 CET | 49691 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:33.602564096 CET | 443 | 49691 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:33.602643967 CET | 49691 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:33.602938890 CET | 49691 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:33.602950096 CET | 443 | 49691 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:33.653665066 CET | 49690 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:33.823992968 CET | 80 | 49690 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:33.824259996 CET | 49690 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:35.401189089 CET | 443 | 49691 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:35.402858973 CET | 49691 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:35.402904987 CET | 443 | 49691 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:35.936286926 CET | 443 | 49691 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:35.936376095 CET | 443 | 49691 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:35.936435938 CET | 49691 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:35.937011003 CET | 49691 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:35.940990925 CET | 49690 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:35.942193031 CET | 49692 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:35.946193933 CET | 80 | 49690 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:35.946252108 CET | 49690 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:35.947216034 CET | 80 | 49692 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:35.947334051 CET | 49692 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:35.947442055 CET | 49692 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:35.952434063 CET | 80 | 49692 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:36.651015997 CET | 80 | 49692 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:36.652467966 CET | 49693 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:36.652513981 CET | 443 | 49693 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:36.652677059 CET | 49693 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:36.652863026 CET | 49693 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:36.652868986 CET | 443 | 49693 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:36.700485945 CET | 49692 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:38.441199064 CET | 443 | 49693 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:38.442950964 CET | 49693 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:38.442967892 CET | 443 | 49693 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:38.971431017 CET | 443 | 49693 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:38.971591949 CET | 443 | 49693 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:38.971672058 CET | 49693 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:38.972078085 CET | 49693 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:38.975095034 CET | 49692 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:38.976421118 CET | 49694 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:38.980372906 CET | 80 | 49692 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:38.980458975 CET | 49692 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:38.981484890 CET | 80 | 49694 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:38.981743097 CET | 49694 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:38.981743097 CET | 49694 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:38.986810923 CET | 80 | 49694 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:39.721858025 CET | 80 | 49694 | 132.226.247.73 | 192.168.2.7 |
| Mar 7, 2025 15:54:39.723495960 CET | 49695 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:39.723541975 CET | 443 | 49695 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:39.723611116 CET | 49695 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:39.723870039 CET | 49695 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:39.723885059 CET | 443 | 49695 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:39.763118982 CET | 49694 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:41.375828981 CET | 443 | 49695 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:41.377680063 CET | 49695 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:41.377703905 CET | 443 | 49695 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:41.923362970 CET | 443 | 49695 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:41.923496962 CET | 443 | 49695 | 104.21.64.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:41.923552990 CET | 49695 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:41.924333096 CET | 49695 | 443 | 192.168.2.7 | 104.21.64.1 |
| Mar 7, 2025 15:54:42.077404022 CET | 49694 | 80 | 192.168.2.7 | 132.226.247.73 |
| Mar 7, 2025 15:54:42.077526093 CET | 49684 | 80 | 192.168.2.7 | 132.226.247.73 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 7, 2025 15:54:18.006041050 CET | 64667 | 53 | 192.168.2.7 | 1.1.1.1 |
| Mar 7, 2025 15:54:18.013703108 CET | 53 | 64667 | 1.1.1.1 | 192.168.2.7 |
| Mar 7, 2025 15:54:19.000191927 CET | 58098 | 53 | 192.168.2.7 | 1.1.1.1 |
| Mar 7, 2025 15:54:19.007797003 CET | 53 | 58098 | 1.1.1.1 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 7, 2025 15:54:18.006041050 CET | 192.168.2.7 | 1.1.1.1 | 0xd3cb | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 7, 2025 15:54:19.000191927 CET | 192.168.2.7 | 1.1.1.1 | 0xa059 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 7, 2025 15:54:18.013703108 CET | 1.1.1.1 | 192.168.2.7 | 0xd3cb | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:18.013703108 CET | 1.1.1.1 | 192.168.2.7 | 0xd3cb | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:18.013703108 CET | 1.1.1.1 | 192.168.2.7 | 0xd3cb | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:18.013703108 CET | 1.1.1.1 | 192.168.2.7 | 0xd3cb | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:18.013703108 CET | 1.1.1.1 | 192.168.2.7 | 0xd3cb | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:18.013703108 CET | 1.1.1.1 | 192.168.2.7 | 0xd3cb | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:19.007797003 CET | 1.1.1.1 | 192.168.2.7 | 0xa059 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:19.007797003 CET | 1.1.1.1 | 192.168.2.7 | 0xa059 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:19.007797003 CET | 1.1.1.1 | 192.168.2.7 | 0xa059 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:19.007797003 CET | 1.1.1.1 | 192.168.2.7 | 0xa059 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:19.007797003 CET | 1.1.1.1 | 192.168.2.7 | 0xa059 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:19.007797003 CET | 1.1.1.1 | 192.168.2.7 | 0xa059 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 15:54:19.007797003 CET | 1.1.1.1 | 192.168.2.7 | 0xa059 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49681 | 132.226.247.73 | 80 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 15:54:18.028352022 CET | 151 | OUT | |
| Mar 7, 2025 15:54:18.727929115 CET | 273 | IN | |
| Mar 7, 2025 15:54:18.735768080 CET | 127 | OUT | |
| Mar 7, 2025 15:54:18.945441008 CET | 273 | IN | |
| Mar 7, 2025 15:54:21.615669966 CET | 127 | OUT | |
| Mar 7, 2025 15:54:21.825989008 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49684 | 132.226.247.73 | 80 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 15:54:23.920363903 CET | 127 | OUT | |
| Mar 7, 2025 15:54:24.635401964 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.7 | 49686 | 132.226.247.73 | 80 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 15:54:26.883949995 CET | 151 | OUT | |
| Mar 7, 2025 15:54:27.584841967 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.7 | 49688 | 132.226.247.73 | 80 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 15:54:29.852895975 CET | 151 | OUT | |
| Mar 7, 2025 15:54:30.547513008 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.7 | 49690 | 132.226.247.73 | 80 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 15:54:32.904702902 CET | 151 | OUT | |
| Mar 7, 2025 15:54:33.600992918 CET | 273 | IN | |
| Mar 7, 2025 15:54:33.823992968 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.7 | 49692 | 132.226.247.73 | 80 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 15:54:35.947442055 CET | 151 | OUT | |
| Mar 7, 2025 15:54:36.651015997 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.7 | 49694 | 132.226.247.73 | 80 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 15:54:38.981743097 CET | 151 | OUT | |
| Mar 7, 2025 15:54:39.721858025 CET | 273 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49682 | 104.21.64.1 | 443 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 14:54:20 UTC | 85 | OUT | |
| 2025-03-07 14:54:21 UTC | 854 | IN | |
| 2025-03-07 14:54:21 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49683 | 104.21.64.1 | 443 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 14:54:23 UTC | 61 | OUT | |
| 2025-03-07 14:54:23 UTC | 855 | IN | |
| 2025-03-07 14:54:23 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.7 | 49685 | 104.21.64.1 | 443 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 14:54:26 UTC | 85 | OUT | |
| 2025-03-07 14:54:26 UTC | 851 | IN | |
| 2025-03-07 14:54:26 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.7 | 49687 | 104.21.64.1 | 443 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 14:54:29 UTC | 85 | OUT | |
| 2025-03-07 14:54:29 UTC | 851 | IN | |
| 2025-03-07 14:54:29 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.7 | 49689 | 104.21.64.1 | 443 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 14:54:32 UTC | 85 | OUT | |
| 2025-03-07 14:54:32 UTC | 854 | IN | |
| 2025-03-07 14:54:32 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.7 | 49691 | 104.21.64.1 | 443 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 14:54:35 UTC | 85 | OUT | |
| 2025-03-07 14:54:35 UTC | 858 | IN | |
| 2025-03-07 14:54:35 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.7 | 49693 | 104.21.64.1 | 443 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 14:54:38 UTC | 85 | OUT | |
| 2025-03-07 14:54:38 UTC | 859 | IN | |
| 2025-03-07 14:54:38 UTC | 362 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.7 | 49695 | 104.21.64.1 | 443 | 6836 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 14:54:41 UTC | 85 | OUT | |
| 2025-03-07 14:54:41 UTC | 854 | IN | |
| 2025-03-07 14:54:41 UTC | 362 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 09:54:14 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\Desktop\HT4YGXBRtx.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf40000 |
| File size: | 972'800 bytes |
| MD5 hash: | 6C22541A5EAD0CA30EE07FEE745D5EDA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 09:54:16 |
| Start date: | 07/03/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xec0000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 09:54:41 |
| Start date: | 07/03/2025 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x460000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 09:54:41 |
| Start date: | 07/03/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff642da0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 09:54:41 |
| Start date: | 07/03/2025 |
| Path: | C:\Windows\SysWOW64\choice.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x750000 |
| File size: | 28'160 bytes |
| MD5 hash: | FCE0E41C87DC4ABBE976998AD26C27E4 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |