Edit tour
Windows
Analysis Report
NmuA605dM4.exe
Overview
General Information
| Sample name: | NmuA605dM4.exerenamed because original name is a hash value |
| Original sample name: | bd60ebef71e2759f1b06ca6766f8d21d418a8fa99d69d0009004d461b8cb6f87.exe |
| Analysis ID: | 1632203 |
| MD5: | 0d36f475590e673e4303bc2beb338d72 |
| SHA1: | fbea0f77026dfd797473578ac35504842ef9f20c |
| SHA256: | bd60ebef71e2759f1b06ca6766f8d21d418a8fa99d69d0009004d461b8cb6f87 |
| Tags: | exeSnakeKeyloggeruser-adrian__luca |
| Infos: |   |
 | |
Detection
MSIL Logger, MassLogger RAT
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
NmuA605dM4.exe (PID: 7064 cmdline: "C:\Users\ user\Deskt op\NmuA605 dM4.exe" MD5: 0D36F475590E673E4303BC2BEB338D72) 
RegSvcs.exe (PID: 6284 cmdline: "C:\Users\ user\Deskt op\NmuA605 dM4.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
{"EXfil Mode": "SMTP", "From": "securityz@grupomaya.mx", "Password": " 54460hetteXzeLJ Z+l!UyU_nadu \u2605\u0b9c\u0b9c", "Server": "mail.grupomaya.mx", "Port": 587}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_MSILLogger | Yara detected MSIL Logger | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| Click to see the 18 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MassLogger | Yara detected MassLogger RAT | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_MSILLogger | Yara detected MSIL Logger | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| Click to see the 13 entries | ||||
System Summary |   |
|---|
| Source: | Author: frack113: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-07T20:51:52.329502+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.10 | 49681 | 132.226.8.169 | 80 | TCP |
| 2025-03-07T20:52:01.470071+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.10 | 49681 | 132.226.8.169 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
Location Tracking | |
|---|
| Source: | DNS query: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00A7445A | |
| Source: | Code function: | 0_2_00A7C6D1 | |
| Source: | Code function: | 0_2_00A7C75C | |
| Source: | Code function: | 0_2_00A7EF95 | |
| Source: | Code function: | 0_2_00A7F0F2 | |
| Source: | Code function: | 0_2_00A7F3F3 | |
| Source: | Code function: | 0_2_00A737EF | |
| Source: | Code function: | 0_2_00A73B12 | |
| Source: | Code function: | 0_2_00A7BCBC | |
| Source: | Code function: | 2_2_02B1A3C0 | |
| Source: | Code function: | 2_2_02B19E00 | |
| Source: | Code function: | 2_2_02B1E220 | |
| Source: | Code function: | 2_2_02B1A3B0 | |
| Source: | Code function: | 2_2_02B1E7F0 | |
| Source: | Code function: | 2_2_02B1A706 | |
| Source: | Code function: | 2_2_02B1EC48 | |
| Source: | Code function: | 2_2_02B1F0A0 | |
| Source: | Code function: | 2_2_02B1F4F8 | |
| Source: | Code function: | 2_2_02B1F950 | |
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS query: | ||
| Source: | DNS query: | ||
| Source: | Suricata IDS: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00A822EE | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | .Net Code: | ||
| Source: | Code function: | 0_2_00A84164 | |
| Source: | Code function: | 0_2_00A84164 | |
| Source: | Code function: | 0_2_00A83F66 | |
| Source: | Code function: | 0_2_00A7001C | |
| Source: | Code function: | 0_2_00A9CABC | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00A13B3A | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | memstr_6b1cc5f5-1 | |
| Source: | String found in binary or memory: | memstr_eeb1a3c1-1 | |
| Source: | String found in binary or memory: | memstr_aeef38c9-3 | |
| Source: | String found in binary or memory: | memstr_262d08e1-2 | |
| Source: | Code function: | 0_2_00A7A1EF | |
| Source: | Code function: | 0_2_00A68310 | |
| Source: | Code function: | 0_2_00A751BD | |
| Source: | Code function: | 0_2_00A1E6A0 | |
| Source: | Code function: | 0_2_00A3D975 | |
| Source: | Code function: | 0_2_00A321C5 | |
| Source: | Code function: | 0_2_00A462D2 | |
| Source: | Code function: | 0_2_00A903DA | |
| Source: | Code function: | 0_2_00A4242E | |
| Source: | Code function: | 0_2_00A325FA | |
| Source: | Code function: | 0_2_00A266E1 | |
| Source: | Code function: | 0_2_00A6E616 | |
| Source: | Code function: | 0_2_00A4878F | |
| Source: | Code function: | 0_2_00A78889 | |
| Source: | Code function: | 0_2_00A28808 | |
| Source: | Code function: | 0_2_00A46844 | |
| Source: | Code function: | 0_2_00A90857 | |
| Source: | Code function: | 0_2_00A3CB21 | |
| Source: | Code function: | 0_2_00A46DB6 | |
| Source: | Code function: | 0_2_00A26F9E | |
| Source: | Code function: | 0_2_00A23030 | |
| Source: | Code function: | 0_2_00A33187 | |
| Source: | Code function: | 0_2_00A3F1D9 | |
| Source: | Code function: | 0_2_00A11287 | |
| Source: | Code function: | 0_2_00A31484 | |
| Source: | Code function: | 0_2_00A25520 | |
| Source: | Code function: | 0_2_00A37696 | |
| Source: | Code function: | 0_2_00A25760 | |
| Source: | Code function: | 0_2_00A31978 | |
| Source: | Code function: | 0_2_00A49AB5 | |
| Source: | Code function: | 0_2_00A1FCE0 | |
| Source: | Code function: | 0_2_00A3BDA6 | |
| Source: | Code function: | 0_2_00A31D90 | |
| Source: | Code function: | 0_2_00A97DDB | |
| Source: | Code function: | 0_2_00A23FE0 | |
| Source: | Code function: | 0_2_00A1DF00 | |
| Source: | Code function: | 0_2_01843620 | |
| Source: | Code function: | 2_2_02B127B9 | |
| Source: | Code function: | 2_2_02B12DD1 | |
| Source: | Code function: | 2_2_02B1DB08 | |
| Source: | Code function: | 2_2_02B19E00 | |
| Source: | Code function: | 2_2_02B1E220 | |
| Source: | Code function: | 2_2_02B1E7F0 | |
| Source: | Code function: | 2_2_02B1E7E0 | |
| Source: | Code function: | 2_2_02B1EC39 | |
| Source: | Code function: | 2_2_02B1EC48 | |
| Source: | Code function: | 2_2_02B1F0A0 | |
| Source: | Code function: | 2_2_02B1F090 | |
| Source: | Code function: | 2_2_02B1F4F8 | |
| Source: | Code function: | 2_2_02B1F4E8 | |
| Source: | Code function: | 2_2_02B1F950 | |
| Source: | Code function: | 2_2_02B1F941 | |
| Source: | Code function: | 2_2_02B19DEF | |
| Source: | Code function: | 2_2_063C5E0C | |
| Source: | Code function: | 2_2_063CB650 | |
| Source: | Code function: | 2_2_063C3200 | |
| Source: | Code function: | 2_2_063C6C71 | |
| Source: | Code function: | 2_2_063C4A60 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Cryptographic APIs: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00A7A06A | |
| Source: | Code function: | 0_2_00A681CB | |
| Source: | Code function: | 0_2_00A687E1 | |
| Source: | Code function: | 0_2_00A7B3FB | |
| Source: | Code function: | 0_2_00A8EE0D | |
| Source: | Code function: | 0_2_00A883BB | |
| Source: | Code function: | 0_2_00A14E89 | |
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00A14B37 | |
| Source: | Code function: | 0_2_00A38958 | |
| Source: | Code function: | 2_2_02B1BFED | |
| Source: | Code function: | 2_2_02B138EA | |
| Source: | Code function: | 2_2_02B1390A | |
| Source: | Code function: | 2_2_02B138FA | |
| Source: | Code function: | 2_2_02B138FA | |
| Source: | Code function: | 2_2_02B1391A | |
| Source: | Code function: | 2_2_02B1390A | |
| Source: | Code function: | 2_2_02B1BFED | |
| Source: | Code function: | 0_2_00A148D7 | |
| Source: | Code function: | 0_2_00A95376 | |
| Source: | Code function: | 0_2_00A33187 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_0-105435 | ||
| Source: | API coverage: | ||
| Source: | Code function: | 0_2_00A7445A | |
| Source: | Code function: | 0_2_00A7C6D1 | |
| Source: | Code function: | 0_2_00A7C75C | |
| Source: | Code function: | 0_2_00A7EF95 | |
| Source: | Code function: | 0_2_00A7F0F2 | |
| Source: | Code function: | 0_2_00A7F3F3 | |
| Source: | Code function: | 0_2_00A737EF | |
| Source: | Code function: | 0_2_00A73B12 | |
| Source: | Code function: | 0_2_00A7BCBC | |
| Source: | Code function: | 0_2_00A149A0 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00A83F09 | |
| Source: | Code function: | 0_2_00A13B3A | |
| Source: | Code function: | 0_2_00A45A7C | |
| Source: | Code function: | 0_2_00A14B37 | |
| Source: | Code function: | 0_2_01843510 | |
| Source: | Code function: | 0_2_018434B0 | |
| Source: | Code function: | 0_2_01841E70 | |
| Source: | Code function: | 0_2_00A680A9 | |
| Source: | Code function: | 0_2_00A3A124 | |
| Source: | Code function: | 0_2_00A3A155 | |
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Reference to suspicious API methods: | ||
| Source: | Reference to suspicious API methods: | ||
| Source: | Reference to suspicious API methods: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Code function: | 0_2_00A687B1 | |
| Source: | Code function: | 0_2_00A13B3A | |
| Source: | Code function: | 0_2_00A148D7 | |
| Source: | Code function: | 0_2_00A74C27 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00A67CAF | |
| Source: | Code function: | 0_2_00A6874B | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00A3862B | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00A44E87 | |
| Source: | Code function: | 0_2_00A51E06 | |
| Source: | Code function: | 0_2_00A43F3A | |
| Source: | Code function: | 0_2_00A149A0 | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_00A86283 | |
| Source: | Code function: | 0_2_00A86747 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 12 Native API | 1 DLL Side-Loading | 1 Exploitation for Privilege Escalation | 11 Disable or Modify Tools | 1 OS Credential Dumping | 2 System Time Discovery | Remote Services | 11 Archive Collected Data | 2 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 2 Valid Accounts | 1 DLL Side-Loading | 11 Deobfuscate/Decode Files or Information | 121 Input Capture | 1 Account Discovery | Remote Desktop Protocol | 1 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 2 Valid Accounts | 3 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | 1 Email Collection | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 21 Access Token Manipulation | 1 DLL Side-Loading | NTDS | 127 System Information Discovery | Distributed Component Object Model | 121 Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 212 Process Injection | 2 Valid Accounts | LSA Secrets | 131 Security Software Discovery | SSH | 3 Clipboard Data | 23 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 11 Virtualization/Sandbox Evasion | Cached Domain Credentials | 11 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 21 Access Token Manipulation | DCSync | 2 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 212 Process Injection | Proc Filesystem | 11 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Network Configuration Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 55% | Virustotal | Browse | ||
| 50% | ReversingLabs | Win32.Trojan.AutoitInject | ||
| 100% | Avira | TR/AD.ShellcodeCrypter.yqbaa |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| reallyfreegeoip.org | 104.21.16.1 | true | false | high | |
| grupomaya.mx | 198.59.144.139 | true | true | unknown | |
| checkip.dyndns.com | 132.226.8.169 | true | false | high | |
| mail.grupomaya.mx | unknown | unknown | true | unknown | |
| checkip.dyndns.org | unknown | unknown | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 132.226.8.169 | checkip.dyndns.com | United States | 16989 | UTMEMUS | false | |
| 104.21.16.1 | reallyfreegeoip.org | United States | 13335 | CLOUDFLARENETUS | false | |
| 198.59.144.139 | grupomaya.mx | United States | 13332 | HYPEENT-SJUS | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1632203 |
| Start date and time: | 2025-03-07 20:50:48 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 53s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 12 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | NmuA605dM4.exerenamed because original name is a hash value |
| Original Sample Name: | bd60ebef71e2759f1b06ca6766f8d21d418a8fa99d69d0009004d461b8cb6f87.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@3/4@3/3 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.199.214.10
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
| Time | Type | Description |
|---|---|---|
| 14:52:00 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 132.226.8.169 | Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | PureLog Stealer, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| 104.21.16.1 | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| reallyfreegeoip.org | Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| checkip.dyndns.com | Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Growtopia, Phoenix Stealer | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| UTMEMUS | Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| HYPEENT-SJUS | Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Chaos | Browse |
| ||
| Get hash | malicious | Chaos | Browse |
| ||
| Get hash | malicious | Chaos | Browse |
| ||
| Get hash | malicious | Chaos | Browse |
| ||
| Get hash | malicious | Chaos | Browse |
| ||
| Get hash | malicious | Chaos | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 54328bd36c14bd82ddaa0c04b25ed9ad | Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| |
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\NmuA605dM4.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 63788 |
| Entropy (8bit): | 7.845529584299243 |
| Encrypted: | false |
| SSDEEP: | 1536:HBscWhfJw3+JOqLDpeZgiT0Fe3cQPE88f/SEr22YU:hERikDp5HvqcYU |
| MD5: | EC8CE4F20BA604BFCD2CF398C708E8F9 |
| SHA1: | 0AD7DAA818C9C4CD1B78956D20A6B438268ED571 |
| SHA-256: | 63C4F084609CA4520E8866D561EE1F98F6BD3893333A310BCFB1A3327F1746BA |
| SHA-512: | AF443DE9024881BD53753D06F963091E97DEE10635FF7BDFF57FC37112A6DFC15692F1C032F3F93C9A2C7218B6B43B83BFF0B96A945E310B329201B87AE7A085 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\NmuA605dM4.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 9772 |
| Entropy (8bit): | 7.6137806910013826 |
| Encrypted: | false |
| SSDEEP: | 192:6JVLuam+BbAnJ3BVgVbWZg0nEljHr/9c2oJNEHLydrOGwk5JkHCystQppF1J/4:67uamwbM/eV2ElC2ofEr4qctOptA |
| MD5: | 0B099CD2A387AB3A6AE23D1A34F8A87C |
| SHA1: | 5288F0060EB27318F7AC51C8C0F75006DD61019D |
| SHA-256: | C7C702CDE2B2526F8F82871A95634640BCA4E1AFF5C4B5FD8E114825EA0AF488 |
| SHA-512: | 5FA03D150DD918CB76BE7622D11AEF0931C4E37EEDC39E1675B0466C73F7B8AD6E7A0D13F2AEE52002CA44FBBE64EA0F162F5717A053299F631C8A31465CEFE4 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\NmuA605dM4.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 28674 |
| Entropy (8bit): | 3.5826176336931215 |
| Encrypted: | false |
| SSDEEP: | 768:X9KA+dD7KzCaynKpACXECY9xMBHZBKOD26dSrxlO:UA+R7+BXD264a |
| MD5: | 653D498971FEF376EA16E6DADF407F5B |
| SHA1: | 685DED98549FD78ED92DE05AE21091A7C5EBE9E4 |
| SHA-256: | B396E1E5AC487327E1E03940569B780F2E848CD062FCDF8C62345E60F8D2BE42 |
| SHA-512: | 1870A1FE10EB3B32422DBC7B76A631DD51AE5BBCB7B67DFDC31A2B3743F97947AFB21EB51C2EA48FD8E429CA812A0C70497610376389D5B255BA80AFE729207A |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\NmuA605dM4.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 93696 |
| Entropy (8bit): | 6.911655417503038 |
| Encrypted: | false |
| SSDEEP: | 1536:vtHKWys22kPO1oeiSJSOels+p1mk+Kq2E4/e6pwUYmaJUez/9qSzJCHi7L7Uow0Y:FHKm2bWiU2fvwUUXz/9qSzJr7RTy |
| MD5: | 3F2B1336AA19DC0E48E2C187A71B7323 |
| SHA1: | 1E52593574D550AB031E4FAA0D432E67372A91A5 |
| SHA-256: | A5F8CC2EDBBEDDDC0291C1B0785A82B57054C037B2F79F5A58B472C147C25616 |
| SHA-512: | 6F3D8F16959EA0AAEEFAD37C47902BA14C33D620C0F6BE24FFB4F5F4DEE1347DAB0BA37394C201F53680F58DAEFD08F85A9BE1904AE70AF8EBA360E09B1300CE |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 0.15197513782217703 |
| TrID: |
|
| File name: | NmuA605dM4.exe |
| File size: | 80'740'352 bytes |
| MD5: | 0d36f475590e673e4303bc2beb338d72 |
| SHA1: | fbea0f77026dfd797473578ac35504842ef9f20c |
| SHA256: | bd60ebef71e2759f1b06ca6766f8d21d418a8fa99d69d0009004d461b8cb6f87 |
| SHA512: | 7392bc44266b6fc471d9a93f6ee5688d0265de0a88261466fd63daf340e0200ec08b0846dfc42ad14db7d65706f273faeb38c72d51c498255cd0607000fb5600 |
| SSDEEP: | 24576:Eu6J33O0c+JY5UZ+XC0kGso6FaBUfxy98HWY:+u0c++OCvkGs9FaBgk9vY |
| TLSH: | B208AD2273DDC360CB669173BF6AB7016EBF7C610630B85B2F980D7DA950161262D7A3 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}. |
 | |
| Icon Hash: | aaf3e3e3938382a0 |
| Entrypoint: | 0x427dcd |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67B6C6BE [Thu Feb 20 06:07:58 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | afcdf79be1557326c854b6e20cb900a7 |
| Instruction |
|---|
| call 00007FB4107DEA5Ah |
| jmp 00007FB4107D1824h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push edi |
| push esi |
| mov esi, dword ptr [esp+10h] |
| mov ecx, dword ptr [esp+14h] |
| mov edi, dword ptr [esp+0Ch] |
| mov eax, ecx |
| mov edx, ecx |
| add eax, esi |
| cmp edi, esi |
| jbe 00007FB4107D19AAh |
| cmp edi, eax |
| jc 00007FB4107D1D0Eh |
| bt dword ptr [004C31FCh], 01h |
| jnc 00007FB4107D19A9h |
| rep movsb |
| jmp 00007FB4107D1CBCh |
| cmp ecx, 00000080h |
| jc 00007FB4107D1B74h |
| mov eax, edi |
| xor eax, esi |
| test eax, 0000000Fh |
| jne 00007FB4107D19B0h |
| bt dword ptr [004BE324h], 01h |
| jc 00007FB4107D1E80h |
| bt dword ptr [004C31FCh], 00000000h |
| jnc 00007FB4107D1B4Dh |
| test edi, 00000003h |
| jne 00007FB4107D1B5Eh |
| test esi, 00000003h |
| jne 00007FB4107D1B3Dh |
| bt edi, 02h |
| jnc 00007FB4107D19AFh |
| mov eax, dword ptr [esi] |
| sub ecx, 04h |
| lea esi, dword ptr [esi+04h] |
| mov dword ptr [edi], eax |
| lea edi, dword ptr [edi+04h] |
| bt edi, 03h |
| jnc 00007FB4107D19B3h |
| movq xmm1, qword ptr [esi] |
| sub ecx, 08h |
| lea esi, dword ptr [esi+08h] |
| movq qword ptr [edi], xmm1 |
| lea edi, dword ptr [edi+08h] |
| test esi, 00000007h |
| je 00007FB4107D1A05h |
| bt esi, 03h |
| jnc 00007FB4107D1A58h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xba44c | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc7000 | 0x1f374 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xe7000 | 0x711c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x92bc0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xa4870 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8f000 | 0x884 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x8dcc4 | 0x8de00 | d28a820a1d9ff26cda02d12b888ba4b4 | False | 0.5728679102422908 | data | 6.676118058520316 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8f000 | 0x2e10e | 0x2e200 | 79b14b254506b0dbc8cd0ad67fb70ad9 | False | 0.33535526761517614 | OpenPGP Public Key | 5.76010872795207 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xbe000 | 0x8f74 | 0x5200 | 9f9d6f746f1a415a63de45f8b7983d33 | False | 0.1017530487804878 | data | 1.198745897703538 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xc7000 | 0x1f374 | 0x1f400 | 462e0dfb5166e6ef305ca3923aedb49e | False | 0.7899453125 | data | 7.497904803666288 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xe7000 | 0x711c | 0x7200 | 6fcae3cbbf6bfbabf5ec5bbe7cf612c3 | False | 0.7650767543859649 | data | 6.779031650454199 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xc75a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xc76d0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xc77f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xc7920 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | Great Britain | 0.3333333333333333 |
| RT_ICON | 0xc7c08 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | Great Britain | 0.5 |
| RT_ICON | 0xc7d30 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | Great Britain | 0.2835820895522388 |
| RT_ICON | 0xc8bd8 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | Great Britain | 0.37906137184115524 |
| RT_ICON | 0xc9480 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | Great Britain | 0.23699421965317918 |
| RT_ICON | 0xc99e8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | Great Britain | 0.13858921161825727 |
| RT_ICON | 0xcbf90 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | Great Britain | 0.25070356472795496 |
| RT_ICON | 0xcd038 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | Great Britain | 0.3173758865248227 |
| RT_MENU | 0xcd4a0 | 0x50 | data | English | Great Britain | 0.9 |
| RT_STRING | 0xcd4f0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0xcda84 | 0x68a | data | English | Great Britain | 0.2747909199522103 |
| RT_STRING | 0xce110 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0xce5a0 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0xceb9c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0xcf1f8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0xcf660 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0xcf7b8 | 0x1663c | data | 1.0003925502682427 | ||
| RT_GROUP_ICON | 0xe5df4 | 0x76 | data | English | Great Britain | 0.6610169491525424 |
| RT_GROUP_ICON | 0xe5e6c | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0xe5e80 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0xe5e94 | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0xe5ea8 | 0xdc | data | English | Great Britain | 0.6181818181818182 |
| RT_MANIFEST | 0xe5f84 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
| DLL | Import |
|---|---|
| WSOCK32.dll | WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect |
| VERSION.dll | GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
| MPR.dll | WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W |
| WININET.dll | InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW |
| PSAPI.DLL | GetProcessMemoryInfo |
| IPHLPAPI.DLL | IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho |
| USERENV.dll | DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW |
| UxTheme.dll | IsThemeActive |
| KERNEL32.dll | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA |
| USER32.dll | AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW |
| GDI32.dll | StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath |
| COMDLG32.dll | GetOpenFileNameW, GetSaveFileNameW |
| ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW |
| SHELL32.dll | DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity |
| OLEAUT32.dll | LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit |
| Description | Data |
|---|---|
| Translation | 0x0809 0x04b0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-07T20:51:52.329502+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.10 | 49681 | 132.226.8.169 | 80 | TCP |
| 2025-03-07T20:52:01.470071+0100 | 2803274 | ETPRO MALWARE Common Downloader Header Pattern UH | 2 | 192.168.2.10 | 49681 | 132.226.8.169 | 80 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 7, 2025 20:51:50.151981115 CET | 49681 | 80 | 192.168.2.10 | 132.226.8.169 |
| Mar 7, 2025 20:51:50.157150984 CET | 80 | 49681 | 132.226.8.169 | 192.168.2.10 |
| Mar 7, 2025 20:51:50.157237053 CET | 49681 | 80 | 192.168.2.10 | 132.226.8.169 |
| Mar 7, 2025 20:51:50.157974958 CET | 49681 | 80 | 192.168.2.10 | 132.226.8.169 |
| Mar 7, 2025 20:51:50.163094997 CET | 80 | 49681 | 132.226.8.169 | 192.168.2.10 |
| Mar 7, 2025 20:51:50.987040997 CET | 80 | 49681 | 132.226.8.169 | 192.168.2.10 |
| Mar 7, 2025 20:51:50.993982077 CET | 49681 | 80 | 192.168.2.10 | 132.226.8.169 |
| Mar 7, 2025 20:51:50.999144077 CET | 80 | 49681 | 132.226.8.169 | 192.168.2.10 |
| Mar 7, 2025 20:51:52.274341106 CET | 80 | 49681 | 132.226.8.169 | 192.168.2.10 |
| Mar 7, 2025 20:51:52.312582970 CET | 49682 | 443 | 192.168.2.10 | 104.21.16.1 |
| Mar 7, 2025 20:51:52.312633038 CET | 443 | 49682 | 104.21.16.1 | 192.168.2.10 |
| Mar 7, 2025 20:51:52.312767029 CET | 49682 | 443 | 192.168.2.10 | 104.21.16.1 |
| Mar 7, 2025 20:51:52.320883989 CET | 49682 | 443 | 192.168.2.10 | 104.21.16.1 |
| Mar 7, 2025 20:51:52.320902109 CET | 443 | 49682 | 104.21.16.1 | 192.168.2.10 |
| Mar 7, 2025 20:51:52.329502106 CET | 49681 | 80 | 192.168.2.10 | 132.226.8.169 |
| Mar 7, 2025 20:51:54.098956108 CET | 443 | 49682 | 104.21.16.1 | 192.168.2.10 |
| Mar 7, 2025 20:51:54.099092007 CET | 49682 | 443 | 192.168.2.10 | 104.21.16.1 |
| Mar 7, 2025 20:51:54.106473923 CET | 49682 | 443 | 192.168.2.10 | 104.21.16.1 |
| Mar 7, 2025 20:51:54.106508017 CET | 443 | 49682 | 104.21.16.1 | 192.168.2.10 |
| Mar 7, 2025 20:51:54.106852055 CET | 443 | 49682 | 104.21.16.1 | 192.168.2.10 |
| Mar 7, 2025 20:51:54.155457973 CET | 49682 | 443 | 192.168.2.10 | 104.21.16.1 |
| Mar 7, 2025 20:51:54.196327925 CET | 443 | 49682 | 104.21.16.1 | 192.168.2.10 |
| Mar 7, 2025 20:51:55.005017042 CET | 443 | 49682 | 104.21.16.1 | 192.168.2.10 |
| Mar 7, 2025 20:51:55.010499954 CET | 443 | 49682 | 104.21.16.1 | 192.168.2.10 |
| Mar 7, 2025 20:51:55.010673046 CET | 49682 | 443 | 192.168.2.10 | 104.21.16.1 |
| Mar 7, 2025 20:51:55.016412973 CET | 49682 | 443 | 192.168.2.10 | 104.21.16.1 |
| Mar 7, 2025 20:52:00.156935930 CET | 49681 | 80 | 192.168.2.10 | 132.226.8.169 |
| Mar 7, 2025 20:52:00.162159920 CET | 80 | 49681 | 132.226.8.169 | 192.168.2.10 |
| Mar 7, 2025 20:52:01.428190947 CET | 80 | 49681 | 132.226.8.169 | 192.168.2.10 |
| Mar 7, 2025 20:52:01.470071077 CET | 49681 | 80 | 192.168.2.10 | 132.226.8.169 |
| Mar 7, 2025 20:52:02.029325008 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:02.034459114 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:02.035186052 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:02.619261980 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:02.619580984 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:02.624783039 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:02.757304907 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:02.757576942 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:02.762600899 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:02.896440983 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:02.897119045 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:02.902177095 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.049047947 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.049069881 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.049082994 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.049097061 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.049154043 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:03.049196959 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:03.092257023 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:03.097291946 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.231136084 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.234889030 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:03.240192890 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.374541998 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.375766039 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:03.382385969 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.515423059 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.516479015 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:03.521917105 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.679162979 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.679466009 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:03.684679031 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.816338062 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.816690922 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:03.821870089 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.974178076 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:03.974373102 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:03.979638100 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:04.112200022 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:04.113650084 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:04.113748074 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:04.113789082 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:04.113831997 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:04.113948107 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:04.113971949 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:04.113991976 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:04.114017963 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:04.119004965 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:04.119043112 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:04.119134903 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:04.119147062 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:04.300416946 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:52:04.345154047 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:52:51.455089092 CET | 49681 | 80 | 192.168.2.10 | 132.226.8.169 |
| Mar 7, 2025 20:52:51.460366964 CET | 80 | 49681 | 132.226.8.169 | 192.168.2.10 |
| Mar 7, 2025 20:52:51.460457087 CET | 49681 | 80 | 192.168.2.10 | 132.226.8.169 |
| Mar 7, 2025 20:53:41.470922947 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Mar 7, 2025 20:53:41.476089954 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:53:41.610572100 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 |
| Mar 7, 2025 20:53:41.612274885 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 7, 2025 20:51:50.133277893 CET | 61618 | 53 | 192.168.2.10 | 1.1.1.1 |
| Mar 7, 2025 20:51:50.140686989 CET | 53 | 61618 | 1.1.1.1 | 192.168.2.10 |
| Mar 7, 2025 20:51:52.286412001 CET | 51507 | 53 | 192.168.2.10 | 1.1.1.1 |
| Mar 7, 2025 20:51:52.311605930 CET | 53 | 51507 | 1.1.1.1 | 192.168.2.10 |
| Mar 7, 2025 20:52:01.450963974 CET | 62221 | 53 | 192.168.2.10 | 1.1.1.1 |
| Mar 7, 2025 20:52:02.021836042 CET | 53 | 62221 | 1.1.1.1 | 192.168.2.10 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 7, 2025 20:51:50.133277893 CET | 192.168.2.10 | 1.1.1.1 | 0x6aae | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 7, 2025 20:51:52.286412001 CET | 192.168.2.10 | 1.1.1.1 | 0xf6f9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 7, 2025 20:52:01.450963974 CET | 192.168.2.10 | 1.1.1.1 | 0x4922 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 7, 2025 20:51:50.140686989 CET | 1.1.1.1 | 192.168.2.10 | 0x6aae | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:50.140686989 CET | 1.1.1.1 | 192.168.2.10 | 0x6aae | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:50.140686989 CET | 1.1.1.1 | 192.168.2.10 | 0x6aae | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:50.140686989 CET | 1.1.1.1 | 192.168.2.10 | 0x6aae | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:50.140686989 CET | 1.1.1.1 | 192.168.2.10 | 0x6aae | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:50.140686989 CET | 1.1.1.1 | 192.168.2.10 | 0x6aae | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:52.311605930 CET | 1.1.1.1 | 192.168.2.10 | 0xf6f9 | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:52.311605930 CET | 1.1.1.1 | 192.168.2.10 | 0xf6f9 | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:52.311605930 CET | 1.1.1.1 | 192.168.2.10 | 0xf6f9 | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:52.311605930 CET | 1.1.1.1 | 192.168.2.10 | 0xf6f9 | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:52.311605930 CET | 1.1.1.1 | 192.168.2.10 | 0xf6f9 | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:52.311605930 CET | 1.1.1.1 | 192.168.2.10 | 0xf6f9 | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:51:52.311605930 CET | 1.1.1.1 | 192.168.2.10 | 0xf6f9 | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 7, 2025 20:52:02.021836042 CET | 1.1.1.1 | 192.168.2.10 | 0x4922 | No error (0) | grupomaya.mx | CNAME (Canonical name) | IN (0x0001) | false | ||
| Mar 7, 2025 20:52:02.021836042 CET | 1.1.1.1 | 192.168.2.10 | 0x4922 | No error (0) | 198.59.144.139 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.10 | 49681 | 132.226.8.169 | 80 | 6284 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Mar 7, 2025 20:51:50.157974958 CET | 151 | OUT | |
| Mar 7, 2025 20:51:50.987040997 CET | 273 | IN | |
| Mar 7, 2025 20:51:50.993982077 CET | 127 | OUT | |
| Mar 7, 2025 20:51:52.274341106 CET | 682 | IN | |
| Mar 7, 2025 20:52:00.156935930 CET | 127 | OUT | |
| Mar 7, 2025 20:52:01.428190947 CET | 682 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.10 | 49682 | 104.21.16.1 | 443 | 6284 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-07 19:51:54 UTC | 73 | OUT | |
| 2025-03-07 19:51:55 UTC | 771 | IN | |
| 2025-03-07 19:51:55 UTC | 375 | IN |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
|---|---|---|---|---|---|
| Mar 7, 2025 20:52:02.619261980 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 | 220-svgt326.serverneubox.com.mx ESMTP Exim 4.98.1 #2 Fri, 07 Mar 2025 13:52:02 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
| Mar 7, 2025 20:52:02.619580984 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 | EHLO 992547 |
| Mar 7, 2025 20:52:02.757304907 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 | 250-svgt326.serverneubox.com.mx Hello 992547 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=1000 RCPTMAX=50000 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP |
| Mar 7, 2025 20:52:02.757576942 CET | 49686 | 587 | 192.168.2.10 | 198.59.144.139 | STARTTLS |
| Mar 7, 2025 20:52:02.896440983 CET | 587 | 49686 | 198.59.144.139 | 192.168.2.10 | 220 TLS go ahead |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:51:46 |
| Start date: | 07/03/2025 |
| Path: | C:\Users\user\Desktop\NmuA605dM4.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa10000 |
| File size: | 80'740'352 bytes |
| MD5 hash: | 0D36F475590E673E4303BC2BEB338D72 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 14:51:47 |
| Start date: | 07/03/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xa80000 |
| File size: | 45'984 bytes |
| MD5 hash: | 9D352BC46709F0CB5EC974633A0C3C94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | high |
| Has exited: | false |