Edit tour
Windows
Analysis Report
V1CCX70AZ8P70ADNI.exe
Overview
General Information
| Sample name: | V1CCX70AZ8P70ADNI.exe |
| Analysis ID: | 1631862 |
| MD5: | c8b01a488052a5368731fe95a056639e |
| SHA1: | 78a64b7cd6a75bd309174bf78fc6d28d524ce3cf |
| SHA256: | 7cafcb54154e4e5f9e6c2b23b436a3ea4bdc9d1e0aa12868f3940c7567d8edab |
| Tags: | exeuser-aachum |
| Infos: |   |
 | |
Detection
Clipboard Hijacker
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Clipboard Hijacker
Drops PE files with benign system names
Joe Sandbox ML detected suspicious sample
Potentially malicious time measurement code found
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
V1CCX70AZ8P70ADNI.exe (PID: 6784 cmdline: "C:\Users\ user\Deskt op\V1CCX70 AZ8P70ADNI .exe" MD5: C8B01A488052A5368731FE95A056639E) 
cmd.exe (PID: 7000 cmdline: C:\Windows \system32\ cmd.exe /c start cmd /C "ping localhost -n 1 && st art C:\Use rs\user\Ap pData\Loca l\explorer .exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7076 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7120 cmdline:
cmd /C "pi ng localho st -n 1 && start C:\ Users\user \AppData\L ocal\explo rer.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 6252 cmdline:
ping local host -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D) - explorer.exe (PID: 2520 cmdline:
C:\Users\u ser\AppDat a\Local\ex plorer.exe MD5: C8B01A488052A5368731FE95A056639E)
- explorer.exe (PID: 3052 cmdline:
"C:\Users\ user\AppDa ta\Local\e xplorer.ex e" MD5: C8B01A488052A5368731FE95A056639E)
- explorer.exe (PID: 6464 cmdline:
"C:\Users\ user\AppDa ta\Local\e xplorer.ex e" MD5: C8B01A488052A5368731FE95A056639E)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
System Summary |   |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Process created: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00007FF6A8AFBFF0 | |
| Source: | Code function: | 0_2_00007FF6A8AFEFE2 | |
| Source: | Code function: | 0_2_00007FF6A8AFE400 | |
| Source: | Code function: | 0_2_00007FF6A8AFA172 | |
| Source: | Code function: | 0_2_00007FF6A8AFED70 | |
| Source: | Code function: | 0_2_00007FF6A8AFB760 | |
| Source: | Code function: | 0_2_00007FF6A8AF7740 | |
| Source: | Code function: | 0_2_00007FF6A8AFE540 | |
| Source: | Code function: | 0_2_00007FF6A8AFA9B0 | |
| Source: | Code function: | 0_2_00007FF6A8AFB5A0 | |
| Source: | Code function: | 0_2_00007FF6A8AF95A0 | |
| Source: | Code function: | 0_2_00007FF6A8AF3780 | |
| Source: | Code function: | 0_2_00007FF6A8AFA180 | |
| Source: | Code function: | 0_2_00007FF6A8AFBCC0 | |
| Source: | Code function: | 0_2_00007FF6A8AFB900 | |
| Source: | Code function: | 0_2_00007FF6A8AFB260 | |
| Source: | Code function: | 0_2_00007FF6A8AFBE60 | |
| Source: | Code function: | 0_2_00007FF6A8AF5C40 | |
| Source: | Code function: | 0_2_00007FF6A8AF7A40 | |
| Source: | Code function: | 0_2_00007FF6A8AF78A0 | |
| Source: | Code function: | 0_2_00007FF6A8AFCAA0 | |
| Source: | Code function: | 0_2_00007FF6A8AFF0A0 | |
| Source: | Code function: | 0_2_00007FF6A8AF8E80 | |
| Source: | Code function: | 6_2_00007FF64928B260 | |
| Source: | Code function: | 6_2_00007FF64928BE60 | |
| Source: | Code function: | 6_2_00007FF649285C40 | |
| Source: | Code function: | 6_2_00007FF649287A40 | |
| Source: | Code function: | 6_2_00007FF64928CAA0 | |
| Source: | Code function: | 6_2_00007FF64928F0A0 | |
| Source: | Code function: | 6_2_00007FF6492878A0 | |
| Source: | Code function: | 6_2_00007FF649288E80 | |
| Source: | Code function: | 6_2_00007FF64928BCC0 | |
| Source: | Code function: | 6_2_00007FF64928B900 | |
| Source: | Code function: | 6_2_00007FF64928ED70 | |
| Source: | Code function: | 6_2_00007FF64928A172 | |
| Source: | Code function: | 6_2_00007FF64928B760 | |
| Source: | Code function: | 6_2_00007FF64928E540 | |
| Source: | Code function: | 6_2_00007FF649287740 | |
| Source: | Code function: | 6_2_00007FF64928A9B0 | |
| Source: | Code function: | 6_2_00007FF64928B5A0 | |
| Source: | Code function: | 6_2_00007FF6492895A0 | |
| Source: | Code function: | 6_2_00007FF64928A180 | |
| Source: | Code function: | 6_2_00007FF649283780 | |
| Source: | Code function: | 6_2_00007FF64928BFF0 | |
| Source: | Code function: | 6_2_00007FF64928EFE2 | |
| Source: | Code function: | 6_2_00007FF64928E400 | |
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF6A8AF8313 | |
| Source: | Code function: | 0_2_00007FF6A8AF8313 | |
| Source: | Code function: | 6_2_00007FF649288313 | |
| Source: | Code function: | 6_2_00007FF649288313 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
Malware Analysis System Evasion | |
|---|
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6A8AF1380 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Anti Debugging | |
|---|
| Source: | Code function: | 0_2_00007FF6A8AF1380 | |
| Source: | Code function: | 0_2_00007FF6A8AF1330 | |
| Source: | Code function: | 6_2_00007FF649281330 | |
| Source: | Code function: | 6_2_00007FF649281380 | |
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6A8AF1380 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF6A8C77374 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 Registry Run Keys / Startup Folder | 111 Process Injection | 11 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Registry Run Keys / Startup Folder | 3 Virtualization/Sandbox Evasion | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 11 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 111 Process Injection | Security Account Manager | 3 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | 3 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 11 System Network Configuration Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 12 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 65% | Virustotal | Browse | ||
| 63% | ReversingLabs | Win32.Ransomware.ClipboardHijacker | ||
| 100% | Avira | TR/Spy.Banker.kdiut |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Spy.Banker.kdiut | ||
| 63% | ReversingLabs | Win32.Ransomware.ClipboardHijacker |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| raw.githubusercontent.com | 185.199.111.133 | true | false | high | |
| ip-api.com | 208.95.112.1 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.208.159.226 | unknown | Switzerland | 34888 | SIMPLECARRER2IT | true | |
| 208.95.112.1 | ip-api.com | United States | 53334 | TUT-ASUS | false | |
| 185.199.111.133 | raw.githubusercontent.com | Netherlands | 54113 | FASTLYUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1631862 |
| Start date and time: | 2025-03-07 16:41:51 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 14s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 18 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | V1CCX70AZ8P70ADNI.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@13/9@2/3 |
| EGA Information: | Failed |
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.199.214.10, 23.60.203.209
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
- Execution Graph export aborted for target V1CCX70AZ8P70ADNI.exe, PID 6784 because there are no executed function
- Execution Graph export aborted for target explorer.exe, PID 2520 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 10:43:42 | API Interceptor | |
| 16:42:52 | Autostart | |
| 16:43:00 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 208.95.112.1 | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Python Stealer, Blank Grabber, Njrat | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, DBatLoader, PureLog Stealer | Browse |
| ||
| 185.199.111.133 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| raw.githubusercontent.com | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Python Stealer, Empyrean, Quasar, Discord Token Stealer | Browse |
| ||
| Get hash | malicious | AveMaria, Clipboard Hijacker, StormKitty | Browse |
| ||
| Get hash | malicious | AveMaria, Clipboard Hijacker, StormKitty | Browse |
| ||
| Get hash | malicious | AveMaria, Clipboard Hijacker, StormKitty | Browse |
| ||
| Get hash | malicious | AveMaria, Clipboard Hijacker, StormKitty | Browse |
| ||
| Get hash | malicious | AveMaria, Clipboard Hijacker, StormKitty | Browse |
| ||
| ip-api.com | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Python Stealer, Blank Grabber, Njrat | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, DBatLoader, PureLog Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| FASTLYUS | Get hash | malicious | KnowBe4 | Browse |
| |
| Get hash | malicious | HTMLPhisher, Invisible JS | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Invisible JS | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Invisible JS | Browse |
| ||
| TUT-ASUS | Get hash | malicious | AgentTesla | Browse |
| |
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Python Stealer, Blank Grabber, Njrat | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla, DBatLoader, PureLog Stealer | Browse |
| ||
| SIMPLECARRER2IT | Get hash | malicious | Xmrig | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey | Browse |
| ||
| Get hash | malicious | Amadey | Browse |
| ||
| Get hash | malicious | Amadey | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RHADAMANTHYS, zgRAT | Browse |
| ||
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
|
⊘No context
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\921f83fca6994291b4bc3aa90673460d[1].json
Download File
| Process: | C:\Users\user\Desktop\V1CCX70AZ8P70ADNI.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5 |
| Entropy (8bit): | 1.9219280948873623 |
| Encrypted: | false |
| SSDEEP: | 3:6:6 |
| MD5: | A01AB5C0FF81A60B7D1CEA84CC7DCB7A |
| SHA1: | D0BC07EAB4BE33F0E19FF3F812AA27CDA3BE7CD0 |
| SHA-256: | 53CD6B72987929CB8E78FCAD49CBACF653683D9E367C0EDB1925982229E91232 |
| SHA-512: | F53AD574B732E638C54EE91725118639BC273CC1E0BFC5D46E332FDC2FBE29785AD29CF1FD72CF6095ECBF435D085826DA0DCD70249992BE11FB8C8DDB425E82 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\AppData\Local\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 165 |
| Entropy (8bit): | 5.060832195732379 |
| Encrypted: | false |
| SSDEEP: | 3:BztLQhNEIGKXOASdXYGv5VYGGEwAyBvMHLWLvFPVXqSsXMEe:BZLQhNEMeAuIGv5VYi1hCLvzqSsX3e |
| MD5: | 4E2E625E7C3CC184B4F583177B2389BD |
| SHA1: | D17F842BD24F93C63E832E4BE803C3C4D9406DB9 |
| SHA-256: | D3A732806D980847D2ED9C6BBA55AF91E3A959E08FFB09DD1DF9F9169B24282C |
| SHA-512: | 92214BE83D28FCC8598CFF05AFFB0FBF54835D142035692F083F2AFDC811B1855EB23000B981FCB5157879A74D8A24DD8C49A103D6631612337A31CDA3A39914 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\921f83fca6994291b4bc3aa90673460d[1].json
Download File
| Process: | C:\Users\user\AppData\Local\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5 |
| Entropy (8bit): | 1.9219280948873623 |
| Encrypted: | false |
| SSDEEP: | 3:6:6 |
| MD5: | A01AB5C0FF81A60B7D1CEA84CC7DCB7A |
| SHA1: | D0BC07EAB4BE33F0E19FF3F812AA27CDA3BE7CD0 |
| SHA-256: | 53CD6B72987929CB8E78FCAD49CBACF653683D9E367C0EDB1925982229E91232 |
| SHA-512: | F53AD574B732E638C54EE91725118639BC273CC1E0BFC5D46E332FDC2FBE29785AD29CF1FD72CF6095ECBF435D085826DA0DCD70249992BE11FB8C8DDB425E82 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\V1CCX70AZ8P70ADNI.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 21 |
| Entropy (8bit): | 3.010434089033337 |
| Encrypted: | false |
| SSDEEP: | 3:EQj7UFXDf/:EQnUtDf/ |
| MD5: | 92D65DE01D0749FDA422A3CA9DFFD46B |
| SHA1: | 59D246850168572359D67DAE5F246C4CF9C4D3E5 |
| SHA-256: | F6AFFEFD5085E01E46FD3EAF216AF82D28E475A581D263554A7959A26217F2A4 |
| SHA-512: | 29B24409B9D2F74C9F679FF10266A3D8790800A0E8F9C0D3C622FBA4E8B867F31C3B1BD1E79DFEF94471143FC57B27528B1A9808BCC4ABEFD8CE28DDF1F10DB1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\explorer.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 21 |
| Entropy (8bit): | 3.010434089033337 |
| Encrypted: | false |
| SSDEEP: | 3:EQj7UFXDf/:EQnUtDf/ |
| MD5: | 92D65DE01D0749FDA422A3CA9DFFD46B |
| SHA1: | 59D246850168572359D67DAE5F246C4CF9C4D3E5 |
| SHA-256: | F6AFFEFD5085E01E46FD3EAF216AF82D28E475A581D263554A7959A26217F2A4 |
| SHA-512: | 29B24409B9D2F74C9F679FF10266A3D8790800A0E8F9C0D3C622FBA4E8B867F31C3B1BD1E79DFEF94471143FC57B27528B1A9808BCC4ABEFD8CE28DDF1F10DB1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\V1CCX70AZ8P70ADNI.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 165 |
| Entropy (8bit): | 5.060832195732379 |
| Encrypted: | false |
| SSDEEP: | 3:BztLQhNEIGKXOASdXYGv5VYGGEwAyBvMHLWLvFPVXqSsXMEe:BZLQhNEMeAuIGv5VYi1hCLvzqSsX3e |
| MD5: | 4E2E625E7C3CC184B4F583177B2389BD |
| SHA1: | D17F842BD24F93C63E832E4BE803C3C4D9406DB9 |
| SHA-256: | D3A732806D980847D2ED9C6BBA55AF91E3A959E08FFB09DD1DF9F9169B24282C |
| SHA-512: | 92214BE83D28FCC8598CFF05AFFB0FBF54835D142035692F083F2AFDC811B1855EB23000B981FCB5157879A74D8A24DD8C49A103D6631612337A31CDA3A39914 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\explorer.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:V:V |
| MD5: | CFCD208495D565EF66E7DFF9F98764DA |
| SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
| SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
| SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\V1CCX70AZ8P70ADNI.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3648000 |
| Entropy (8bit): | 7.314772058336657 |
| Encrypted: | false |
| SSDEEP: | 49152:FmVwASOEGtlqCKIU6il1WrcTEhTWdrGa+nQEycjrAyn5VYRVctpXkESh491acOIm:2d+Vh5yUcOJx9iKqHHhrX2ANMnV |
| MD5: | C8B01A488052A5368731FE95A056639E |
| SHA1: | 78A64B7CD6A75BD309174BF78FC6D28D524CE3CF |
| SHA-256: | 7CAFCB54154E4E5F9E6C2B23B436A3EA4BDC9D1E0AA12868F3940C7567D8EDAB |
| SHA-512: | 2F201307BE311A6653162B2F0B9A6C999D0D9A651C09DB4454DD1998213964D852012BED500D820512629F33DE5B19C632B697CC249D6336FF56DE64AE081215 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\V1CCX70AZ8P70ADNI.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | true |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.314772058336657 |
| TrID: |
|
| File name: | V1CCX70AZ8P70ADNI.exe |
| File size: | 3'648'000 bytes |
| MD5: | c8b01a488052a5368731fe95a056639e |
| SHA1: | 78a64b7cd6a75bd309174bf78fc6d28d524ce3cf |
| SHA256: | 7cafcb54154e4e5f9e6c2b23b436a3ea4bdc9d1e0aa12868f3940c7567d8edab |
| SHA512: | 2f201307be311a6653162b2f0b9a6c999d0d9a651c09db4454dd1998213964d852012bed500d820512629f33de5b19c632b697cc249d6336ff56de64ae081215 |
| SSDEEP: | 49152:FmVwASOEGtlqCKIU6il1WrcTEhTWdrGa+nQEycjrAyn5VYRVctpXkESh491acOIm:2d+Vh5yUcOJx9iKqHHhrX2ANMnV |
| TLSH: | C7F5D016B3A800E9D87BC13CD9964133E7B2B86917B0ABDB02A496751F237E15F3E741 |
| File Content Preview: | MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................-...................................................................................a.......a...... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x140186c00 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67C9FC84 [Thu Mar 6 19:50:28 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 290b5b74ed388a2f4e81683b8fd40b54 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007FE178E0F090h |
| dec eax |
| add esp, 28h |
| jmp 00007FE178E0E797h |
| int3 |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov ebx, ecx |
| dec eax |
| lea ecx, dword ptr [001E403Ch] |
| call dword ptr [00039736h] |
| mov eax, dword ptr [001DD224h] |
| dec eax |
| lea ecx, dword ptr [001E4029h] |
| mov edx, dword ptr [001E4043h] |
| inc eax |
| mov dword ptr [001DD20Fh], eax |
| mov dword ptr [ebx], eax |
| dec eax |
| mov eax, dword ptr [00000058h] |
| inc ecx |
| mov ecx, 00000004h |
| dec esp |
| mov eax, dword ptr [eax+edx*8] |
| mov eax, dword ptr [001DD1F4h] |
| inc ebx |
| mov dword ptr [ecx+eax], eax |
| call dword ptr [000396EEh] |
| dec eax |
| lea ecx, dword ptr [001E3FE7h] |
| dec eax |
| add esp, 20h |
| pop ebx |
| dec eax |
| jmp dword ptr [000396EBh] |
| int3 |
| int3 |
| int3 |
| inc eax |
| push ebx |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov ebx, ecx |
| dec eax |
| lea ecx, dword ptr [001E3FD0h] |
| call dword ptr [000396CAh] |
| cmp dword ptr [ebx], 00000000h |
| jne 00007FE178E0E944h |
| or dword ptr [ebx], FFFFFFFFh |
| jmp 00007FE178E0E967h |
| inc ebp |
| xor ecx, ecx |
| dec eax |
| lea edx, dword ptr [001E3FB6h] |
| inc ecx |
| or eax, FFFFFFFFh |
| dec eax |
| lea ecx, dword ptr [001E3FA3h] |
| call dword ptr [000396B5h] |
| jmp 00007FE178E0E8FBh |
| cmp dword ptr [ebx], FFFFFFFFh |
| je 00007FE178E0E900h |
| dec eax |
| mov eax, dword ptr [00000058h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x35fbfc | 0xb4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x37e000 | 0x1e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x36d000 | 0x10d4c | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x37f000 | 0x5b54 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x349ad0 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x349d00 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x349990 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1c0000 | 0x5f0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x1be218 | 0x1be400 | 5ee6900e233399fbbeb91fdab545e3cb | False | 0.509053855917367 | data | 6.862700216670016 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x1c0000 | 0x1a1098 | 0x1a1200 | 697c25748c064e00df241769bd360dbe | False | 0.8067225661147738 | data | 7.483660133608383 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x362000 | 0xa784 | 0x4400 | c50ba30d1b757a6501baada5cc8f82a5 | False | 0.21513097426470587 | data | 3.5776227565874184 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x36d000 | 0x10d4c | 0x10e00 | 8c6deaa3bc221c0ebd206b87b41fa1e3 | False | 0.4868923611111111 | data | 6.1448501326051055 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x37e000 | 0x1e0 | 0x200 | 8596ef18191b12d8e3bec098ab630c55 | False | 0.53125 | data | 4.7176788329467545 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x37f000 | 0x5b54 | 0x5c00 | 2fb46eefcec0f38676ac873933237374 | False | 0.27390455163043476 | data | 5.447763627867713 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_MANIFEST | 0x37e060 | 0x17d | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5931758530183727 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CheckRemoteDebuggerPresent, GlobalMemoryStatusEx, SetFileAttributesA, GetSystemInfo, CloseHandle, GlobalAlloc, CreateFileA, OpenMutexA, CopyFileA, SetEndOfFile, WriteConsoleW, GetTimeZoneInformation, GetTempPathA, Sleep, CreateFileW, CreateMutexA, DeviceIoControl, WriteFile, GetCurrentProcess, GetModuleFileNameA, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, SetStdHandle, HeapSize, CreateProcessW, GetExitCodeProcess, WaitForSingleObject, HeapReAlloc, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetLastError, SetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetStdHandle, GetEnvironmentVariableW, GetFileType, GetModuleHandleW, GetProcAddress, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetCurrentThreadId, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleExW, RtlVirtualUnwind, DeleteFiber, WideCharToMultiByte, GetCurrentProcessId, GetSystemTimeAsFileTime, ConvertFiberToThread, FreeLibrary, LoadLibraryA, LoadLibraryW, FindClose, FindFirstFileW, FindNextFileW, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, RtlCaptureContext, RtlLookupFunctionEntry, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, LocalFree, FormatMessageA, GetLocaleInfoEx, GetCurrentDirectoryW, FindFirstFileExW, GetFileAttributesExW, GetFileInformationByHandle, GetFullPathNameW, SetFileInformationByHandle, AreFileApisANSI, GetFileInformationByHandleEx, TryAcquireSRWLockExclusive, WaitForSingleObjectEx, GetExitCodeThread, LCMapStringEx, InitializeCriticalSectionEx, EncodePointer, DecodePointer, CompareStringEx, GetCPInfo, GetStringTypeW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, ExitProcess, SetConsoleCtrlHandler, ReadFile, GetDriveTypeW, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetModuleFileNameW, GetCommandLineA, GetCommandLineW, GetFileSizeEx, SetFilePointerEx, HeapAlloc, FlushFileBuffers, GetConsoleOutputCP, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, RtlUnwind |
| USER32.dll | GetClipboardData, EmptyClipboard, CloseClipboard, OpenClipboard, GetProcessWindowStation, SetClipboardData, GetClipboardSequenceNumber, GetUserObjectInformationW, MessageBoxW |
| ADVAPI32.dll | CryptGetUserKey, CryptGetProvParam, CryptExportKey, CryptDecrypt, CryptCreateHash, CryptDestroyHash, CryptSignHashW, CryptEnumProvidersW, DeregisterEventSource, RegisterEventSourceW, ReportEventW, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, CryptSetHashParam, RegCreateKeyA, RegSetValueExA |
| SHELL32.dll | ShellExecuteA |
| bcrypt.dll | BCryptGenRandom |
| WININET.dll | InternetOpenA, InternetCloseHandle, InternetReadFile, InternetOpenUrlA |
| CRYPT32.dll | CertEnumCertificatesInStore, CertFindCertificateInStore, CertOpenStore, CertFreeCertificateContext, CertDuplicateCertificateContext, CertGetCertificateContextProperty, CertCloseStore |
| WS2_32.dll | WSACleanup, WSAGetLastError, closesocket, recv, send, WSASetLastError |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 7, 2025 16:42:44.489732027 CET | 49681 | 80 | 192.168.2.7 | 208.95.112.1 |
| Mar 7, 2025 16:42:44.494854927 CET | 80 | 49681 | 208.95.112.1 | 192.168.2.7 |
| Mar 7, 2025 16:42:44.495359898 CET | 49681 | 80 | 192.168.2.7 | 208.95.112.1 |
| Mar 7, 2025 16:42:44.495564938 CET | 49681 | 80 | 192.168.2.7 | 208.95.112.1 |
| Mar 7, 2025 16:42:44.500685930 CET | 80 | 49681 | 208.95.112.1 | 192.168.2.7 |
| Mar 7, 2025 16:42:44.994868040 CET | 80 | 49681 | 208.95.112.1 | 192.168.2.7 |
| Mar 7, 2025 16:42:44.994935989 CET | 49681 | 80 | 192.168.2.7 | 208.95.112.1 |
| Mar 7, 2025 16:42:45.022108078 CET | 49682 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:45.022159100 CET | 443 | 49682 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:45.022221088 CET | 49682 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:45.032568932 CET | 49682 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:45.032597065 CET | 443 | 49682 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:46.970232964 CET | 443 | 49682 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:46.970303059 CET | 49682 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:47.137681007 CET | 49682 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:47.137712955 CET | 443 | 49682 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:47.138098955 CET | 443 | 49682 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:47.138161898 CET | 49682 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:47.165663958 CET | 49682 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:47.212326050 CET | 443 | 49682 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:47.774776936 CET | 443 | 49682 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:47.774883032 CET | 443 | 49682 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:47.774914026 CET | 49682 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:47.774980068 CET | 49682 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:47.776820898 CET | 49682 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:47.776843071 CET | 443 | 49682 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:47.806572914 CET | 49683 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:42:47.811722994 CET | 8888 | 49683 | 185.208.159.226 | 192.168.2.7 |
| Mar 7, 2025 16:42:47.811846972 CET | 49683 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:42:47.811975002 CET | 49683 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:42:47.817001104 CET | 8888 | 49683 | 185.208.159.226 | 192.168.2.7 |
| Mar 7, 2025 16:42:48.907634974 CET | 8888 | 49683 | 185.208.159.226 | 192.168.2.7 |
| Mar 7, 2025 16:42:48.907720089 CET | 49683 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:42:50.181380033 CET | 49681 | 80 | 192.168.2.7 | 208.95.112.1 |
| Mar 7, 2025 16:42:50.181562901 CET | 49683 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:42:50.218357086 CET | 49684 | 80 | 192.168.2.7 | 208.95.112.1 |
| Mar 7, 2025 16:42:50.223462105 CET | 80 | 49684 | 208.95.112.1 | 192.168.2.7 |
| Mar 7, 2025 16:42:50.223598957 CET | 49684 | 80 | 192.168.2.7 | 208.95.112.1 |
| Mar 7, 2025 16:42:50.223972082 CET | 49684 | 80 | 192.168.2.7 | 208.95.112.1 |
| Mar 7, 2025 16:42:50.228976965 CET | 80 | 49684 | 208.95.112.1 | 192.168.2.7 |
| Mar 7, 2025 16:42:50.715259075 CET | 80 | 49684 | 208.95.112.1 | 192.168.2.7 |
| Mar 7, 2025 16:42:50.715328932 CET | 49684 | 80 | 192.168.2.7 | 208.95.112.1 |
| Mar 7, 2025 16:42:50.782612085 CET | 49685 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:50.782666922 CET | 443 | 49685 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:50.782748938 CET | 49685 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:50.790486097 CET | 49685 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:50.790518999 CET | 443 | 49685 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:52.681029081 CET | 443 | 49685 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:52.681159973 CET | 49685 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:52.702953100 CET | 49685 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:52.702997923 CET | 443 | 49685 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:52.703098059 CET | 49685 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:52.703110933 CET | 443 | 49685 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:52.703588009 CET | 443 | 49685 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:52.703660011 CET | 49685 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:53.263307095 CET | 443 | 49685 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:53.263370991 CET | 49685 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:53.263406992 CET | 443 | 49685 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:53.263432980 CET | 443 | 49685 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:53.263448000 CET | 49685 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:53.263463020 CET | 49685 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:53.264039993 CET | 49685 | 443 | 192.168.2.7 | 185.199.111.133 |
| Mar 7, 2025 16:42:53.264060974 CET | 443 | 49685 | 185.199.111.133 | 192.168.2.7 |
| Mar 7, 2025 16:42:53.286297083 CET | 49686 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:42:53.291318893 CET | 8888 | 49686 | 185.208.159.226 | 192.168.2.7 |
| Mar 7, 2025 16:42:53.291389942 CET | 49686 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:42:53.291583061 CET | 49686 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:42:53.296552896 CET | 8888 | 49686 | 185.208.159.226 | 192.168.2.7 |
| Mar 7, 2025 16:42:54.194355965 CET | 8888 | 49686 | 185.208.159.226 | 192.168.2.7 |
| Mar 7, 2025 16:42:54.194432020 CET | 49686 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:42:59.194803953 CET | 8888 | 49686 | 185.208.159.226 | 192.168.2.7 |
| Mar 7, 2025 16:42:59.194885969 CET | 49686 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:43:56.771505117 CET | 80 | 49684 | 208.95.112.1 | 192.168.2.7 |
| Mar 7, 2025 16:43:56.771661997 CET | 49684 | 80 | 192.168.2.7 | 208.95.112.1 |
| Mar 7, 2025 16:44:40.175806046 CET | 49686 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:44:40.175960064 CET | 49684 | 80 | 192.168.2.7 | 208.95.112.1 |
| Mar 7, 2025 16:44:40.181169033 CET | 80 | 49684 | 208.95.112.1 | 192.168.2.7 |
| Mar 7, 2025 16:44:40.487937927 CET | 49686 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:44:41.097275019 CET | 49686 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:44:42.300353050 CET | 49686 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:44:44.706562996 CET | 49686 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Mar 7, 2025 16:44:49.519184113 CET | 49686 | 8888 | 192.168.2.7 | 185.208.159.226 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 7, 2025 16:42:44.474914074 CET | 60685 | 53 | 192.168.2.7 | 1.1.1.1 |
| Mar 7, 2025 16:42:44.482589960 CET | 53 | 60685 | 1.1.1.1 | 192.168.2.7 |
| Mar 7, 2025 16:42:45.012891054 CET | 62020 | 53 | 192.168.2.7 | 1.1.1.1 |
| Mar 7, 2025 16:42:45.021193027 CET | 53 | 62020 | 1.1.1.1 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 7, 2025 16:42:44.474914074 CET | 192.168.2.7 | 1.1.1.1 | 0x2123 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 7, 2025 16:42:45.012891054 CET | 192.168.2.7 | 1.1.1.1 | 0x1ab3 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 7, 2025 16:42:44.482589960 CET | 1.1.1.1 | 192.168.2.7 | 0x2123 | No error (0) | 208.95.112.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 16:42:45.021193027 CET | 1.1.1.1 | 192.168.2.7 | 0x1ab3 | No error (0) | 185.199.111.133 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 16:42:45.021193027 CET | 1.1.1.1 | 192.168.2.7 | 0x1ab3 | No error (0) | 185.199.109.133 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 16:42:45.021193027 CET | 1.1.1.1 | 192.168.2.7 | 0x1ab3 | No error (0) | 185.199.108.133 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 16:42:45.021193027 CET | 1.1.1.1 | 192.168.2.7 | 0x1ab3 | No error (0) | 185.199.110.133 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49681 | 208.95.112.1 | 80 | 6784 | C:\Users\user\Desktop\V1CCX70AZ8P70ADNI.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 16:42:44.495564938 CET | 86 | OUT | |
| Mar 7, 2025 16:42:44.994868040 CET | 336 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49683 | 185.208.159.226 | 8888 | 6784 | C:\Users\user\Desktop\V1CCX70AZ8P70ADNI.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 16:42:47.811975002 CET | 124 | OUT | |
| Mar 7, 2025 16:42:48.907634974 CET | 129 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.7 | 49684 | 208.95.112.1 | 80 | 2520 | C:\Users\user\AppData\Local\explorer.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 16:42:50.223972082 CET | 86 | OUT | |
| Mar 7, 2025 16:42:50.715259075 CET | 336 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.7 | 49686 | 185.208.159.226 | 8888 | 2520 | C:\Users\user\AppData\Local\explorer.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 16:42:53.291583061 CET | 124 | OUT | |
| Mar 7, 2025 16:42:54.194355965 CET | 129 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49682 | 185.199.111.133 | 443 | 6784 | C:\Users\user\Desktop\V1CCX70AZ8P70ADNI.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 15:42:47 UTC | 141 | OUT | |
| 2025-03-07 15:42:47 UTC | 893 | IN | |
| 2025-03-07 15:42:47 UTC | 21 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49685 | 185.199.111.133 | 443 | 2520 | C:\Users\user\AppData\Local\explorer.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 15:42:52 UTC | 141 | OUT | |
| 2025-03-07 15:42:53 UTC | 891 | IN | |
| 2025-03-07 15:42:53 UTC | 21 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:42:43 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\Desktop\V1CCX70AZ8P70ADNI.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6a8af0000 |
| File size: | 3'648'000 bytes |
| MD5 hash: | C8B01A488052A5368731FE95A056639E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 10:42:48 |
| Start date: | 07/03/2025 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff65c940000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 10:42:48 |
| Start date: | 07/03/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff642da0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 10:42:48 |
| Start date: | 07/03/2025 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff65c940000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 10:42:48 |
| Start date: | 07/03/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff642da0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 10:42:48 |
| Start date: | 07/03/2025 |
| Path: | C:\Windows\System32\PING.EXE |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff654c50000 |
| File size: | 22'528 bytes |
| MD5 hash: | 2F46799D79D22AC72C241EC0322B011D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 10:42:48 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\AppData\Local\explorer.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff649280000 |
| File size: | 3'648'000 bytes |
| MD5 hash: | C8B01A488052A5368731FE95A056639E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | false |
| Target ID: | 7 |
| Start time: | 10:43:00 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\AppData\Local\explorer.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff649280000 |
| File size: | 3'648'000 bytes |
| MD5 hash: | C8B01A488052A5368731FE95A056639E |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 10:43:08 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\AppData\Local\explorer.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff649280000 |
| File size: | 3'648'000 bytes |
| MD5 hash: | C8B01A488052A5368731FE95A056639E |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |