Play interactive tour
Edit tourAnalysis Report PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Overview
General Information
| Sample Name: | PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe |
| Analysis ID: | 324081 |
| MD5: | b3cb5b2bc5c3033b1008ed7f7f6312db |
| SHA1: | 3fd8e55a12bdf35200ee43e210951825ad0293d3 |
| SHA256: | 042ef647920e37e8da471c1bfbc36490ee6bf93ceee75cd90161823ae74d458b |
| Tags: | exe |
Most interesting Screenshot:  | |
Detection
AgentTesla
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
Startup |
|---|
|
Malware Configuration |
|---|
| No configs have been found |
|---|
Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 4 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
|---|
| No Sigma rule has matched |
|---|
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: |   |
|---|
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | ReversingLabs: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
System Summary: | |
|---|
| Initial sample is a PE file and has a suspicious name | Show sources | ||
| Source: | Static PE information: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | ||
| Source: | Classification label: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Command line argument: | ||
| Source: | Command line argument: | ||
| Source: | Command line argument: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Key opened: | ||
| Source: | Section loaded: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Key value queried: | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Binary string: | ||
Data Obfuscation: | |
|---|
| Detected unpacking (changes PE section rights) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Detected unpacking (overwrites its own PE header) | Show sources | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | File created: | ||
| Source: | Registry key monitored for changes: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
Malware Analysis System Evasion: | |
|---|
| Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | ||
| Source: | Thread delayed: | ||
| Source: | Window / User API: | ||
| Source: | Window / User API: | ||
| Source: | Thread sleep count: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep count: | ||
| Source: | Thread sleep count: | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Process token adjusted: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Memory allocated: | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| Injects a PE file into a foreign processes | Show sources | ||
| Source: | Memory written: | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Key value queried: | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected AgentTesla | Show sources | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation211 | DLL Side-Loading1 | Process Injection112 | Virtualization/Sandbox Evasion13 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Command and Scripting Interpreter2 | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Disable or Modify Tools1 | LSASS Memory | Query Registry1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | Native API1 | Logon Script (Windows) | Logon Script (Windows) | Process Injection112 | Security Account Manager | Security Software Discovery141 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Deobfuscate/Decode Files or Information1 | NTDS | Virtualization/Sandbox Evasion13 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information2 | LSA Secrets | Process Discovery3 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing21 | Cached Domain Credentials | Application Window Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | DLL Side-Loading1 | DCSync | Account Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | System Owner/User Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | Remote System Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
| Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | System Information Discovery124 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 56% | ReversingLabs | Win32.Infostealer.Fareit | ||
| 100% | Joe Sandbox ML |
Dropped Files |
|---|
| No Antivirus matches |
|---|
Unpacked PE Files |
|---|
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Dropper.Gen | Download File |
Domains |
|---|
| No Antivirus matches |
|---|
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| discord.com | 162.159.137.232 | true | false | unknown | |
| cdn.discordapp.com | 162.159.135.233 | true | false | high |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 162.159.137.232 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
| 162.159.135.233 | unknown | United States | 13335 | CLOUDFLARENETUS | false |
General Information |
|---|
| Joe Sandbox Version: | 31.0.0 Red Diamond |
| Analysis ID: | 324081 |
| Start date: | 28.11.2020 |
| Start time: | 10:30:16 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 3s |
| Hypervisor based Inspection enabled: | false |
| Report type: | light |
| Sample file name: | PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 19 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal92.troj.evad.winEXE@3/0@2/2 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 10:31:06 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 162.159.137.232 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 162.159.135.233 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
|
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| discord.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| cdn.discordapp.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| ce5f3254611a8c095a3d821d44539877 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
Dropped Files |
|---|
| No context |
|---|
Created / dropped Files |
|---|
| No created / dropped files found |
|---|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.110241254206797 |
| TrID: |
|
| File name: | PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe |
| File size: | 1218752 |
| MD5: | b3cb5b2bc5c3033b1008ed7f7f6312db |
| SHA1: | 3fd8e55a12bdf35200ee43e210951825ad0293d3 |
| SHA256: | 042ef647920e37e8da471c1bfbc36490ee6bf93ceee75cd90161823ae74d458b |
| SHA512: | 3724f52089d06f1260f1b6c0ddf73326d44e5b16a12fc99b868c831e481b1edab29fac4695f64e222679d936789455f6c2ce38e5cdfc595d73352faafd321836 |
| SSDEEP: | 24576:3RVtvQ+csIDccuZGhe1ppCmfwybRm8zQKtALblKCeNRbO+v:3R/ovVcOM1pJwYFzQ0t |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
File Icon |
|---|
 | |
| Icon Hash: | b2989692969ed26a |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x47f698 |
| Entrypoint Section: | CODE |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, UP_SYSTEM_ONLY, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 191f8035b5c11d5de8fd20cfdada0df2 |
Authenticode Signature |
|---|
| Signature Valid: | false |
| Signature Issuer: | CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 3B66EDDAB891B79FEDB150AC2C59DB3A |
| Thumbprint SHA-1: | 98ED99A67886D020C564923B7DF25E9AC019DF26 |
| Thumbprint SHA-256: | 57DD481BF26C0A55C3E867B2D6C6978BEAF5CE3509325CA2607D853F9349A9FF |
| Serial: | 330000014096A9EE7056FECC07000100000140 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| mov eax, 0047F418h |
| call 00007F07A4909C35h |
| push 0000001Eh |
| pop ebx |
| push eax |
| mov eax, dword ptr [00481FE8h] |
| mov eax, dword ptr [eax] |
| call 00007F07A4960A39h |
| mov eax, dword ptr [00481FE8h] |
| mov eax, dword ptr [eax] |
| mov edx, 0047F708h |
| call 00007F07A4960628h |
| mov ecx, dword ptr [00481F6Ch] |
| mov eax, dword ptr [00481FE8h] |
| mov eax, dword ptr [eax] |
| mov edx, dword ptr [0047EF20h] |
| call 00007F07A4960A28h |
| mov eax, dword ptr [00481FE8h] |
| mov eax, dword ptr [eax] |
| mov byte ptr [eax+5Bh], 00000000h |
| mov eax, dword ptr [00481FE8h] |
| mov eax, dword ptr [eax] |
| call 00007F07A4960A91h |
| call 00007F07A4907724h |
| add byte ptr [eax], al |
| add bh, bh |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x85000 | 0x24ca | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x93000 | 0x97c00 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x124400 | 0x54c0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8a000 | 0x8f34 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x89000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| CODE | 0x1000 | 0x7e714 | 0x7e800 | False | 0.523837002841 | data | 6.52444996172 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| DATA | 0x80000 | 0x219c | 0x2200 | False | 0.390969669118 | data | 4.54957969266 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| BSS | 0x83000 | 0x1135 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .idata | 0x85000 | 0x24ca | 0x2600 | False | 0.354851973684 | data | 4.81311536495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .tls | 0x88000 | 0x40 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rdata | 0x89000 | 0x18 | 0x200 | False | 0.05078125 | data | 0.184150656087 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .reloc | 0x8a000 | 0x8f34 | 0x9000 | False | 0.559760199653 | data | 6.63092268857 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .rsrc | 0x93000 | 0x97c00 | 0x97c00 | False | 0.509374678233 | data | 6.97981181424 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_CURSOR | 0x93c0c | 0x134 | data | ||
| RT_CURSOR | 0x93d40 | 0x134 | data | ||
| RT_CURSOR | 0x93e74 | 0x134 | data | ||
| RT_CURSOR | 0x93fa8 | 0x134 | data | ||
| RT_CURSOR | 0x940dc | 0x134 | data | ||
| RT_CURSOR | 0x94210 | 0x134 | data | ||
| RT_CURSOR | 0x94344 | 0x134 | data | ||
| RT_BITMAP | 0x94478 | 0x1d0 | data | ||
| RT_BITMAP | 0x94648 | 0x1e4 | data | ||
| RT_BITMAP | 0x9482c | 0x1d0 | data | ||
| RT_BITMAP | 0x949fc | 0x1d0 | data | ||
| RT_BITMAP | 0x94bcc | 0x1d0 | data | ||
| RT_BITMAP | 0x94d9c | 0x1d0 | data | ||
| RT_BITMAP | 0x94f6c | 0x1d0 | data | ||
| RT_BITMAP | 0x9513c | 0x1d0 | data | ||
| RT_BITMAP | 0x9530c | 0x1d0 | data | ||
| RT_BITMAP | 0x954dc | 0x1d0 | data | ||
| RT_BITMAP | 0x956ac | 0xe8 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_ICON | 0x95794 | 0x10a8 | data | English | United States |
| RT_ICON | 0x9683c | 0x25a8 | data | English | United States |
| RT_ICON | 0x98de4 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 240, next used block 251658240 | English | United States |
| RT_ICON | 0x9d00c | 0x5488 | data | English | United States |
| RT_ICON | 0xa2494 | 0xac5c | data | English | United States |
| RT_DIALOG | 0xad0f0 | 0x52 | data | ||
| RT_STRING | 0xad144 | 0x314 | data | ||
| RT_STRING | 0xad458 | 0x1dc | data | ||
| RT_STRING | 0xad634 | 0x154 | data | ||
| RT_STRING | 0xad788 | 0x3a4 | data | ||
| RT_STRING | 0xadb2c | 0x4bc | data | ||
| RT_STRING | 0xadfe8 | 0xc0 | data | ||
| RT_STRING | 0xae0a8 | 0xfc | data | ||
| RT_STRING | 0xae1a4 | 0x120 | data | ||
| RT_STRING | 0xae2c4 | 0x4c0 | data | ||
| RT_STRING | 0xae784 | 0x350 | data | ||
| RT_STRING | 0xaead4 | 0x39c | data | ||
| RT_STRING | 0xaee70 | 0x3b0 | data | ||
| RT_STRING | 0xaf220 | 0xf0 | data | ||
| RT_STRING | 0xaf310 | 0xc0 | data | ||
| RT_STRING | 0xaf3d0 | 0x2d8 | data | ||
| RT_STRING | 0xaf6a8 | 0x494 | data | ||
| RT_STRING | 0xafb3c | 0x3ac | data | ||
| RT_STRING | 0xafee8 | 0x2d4 | data | ||
| RT_RCDATA | 0xb01bc | 0x10 | data | ||
| RT_RCDATA | 0xb01cc | 0x350 | data | ||
| RT_RCDATA | 0xb051c | 0x7859a | GIF image data, version 89a, 577 x 188 | English | United States |
| RT_RCDATA | 0x128ab8 | 0x1f39 | Delphi compiled form 'T__882643936' | ||
| RT_GROUP_CURSOR | 0x12a9f4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x12aa08 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x12aa1c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x12aa30 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x12aa44 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x12aa58 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_CURSOR | 0x12aa6c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
| RT_GROUP_ICON | 0x12aa80 | 0x4c | data | English | United States |
Imports |
|---|
| DLL | Import |
|---|---|
| kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle |
| user32.dll | GetKeyboardType, LoadStringA, MessageBoxA, CharNextA |
| advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey |
| oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
| kernel32.dll | TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA |
| advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey |
| kernel32.dll | lstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle |
| version.dll | VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA |
| gdi32.dll | UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetROP2, GetPolyFillMode, GetPixelFormat, GetPixel, GetPaletteEntries, GetObjectA, GetMapMode, GetGraphicsMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetDCPenColor, GetDCBrushColor, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt |
| user32.dll | CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, ShowCaret, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawStateA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout |
| kernel32.dll | Sleep |
| oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit |
| ole32.dll | CoUninitialize, CoInitialize |
| oleaut32.dll | GetErrorInfo, SysFreeString |
| comctl32.dll | ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create |
| shell32.dll | ShellExecuteA |
| winmm.dll | sndPlaySoundA |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 28, 2020 10:31:07.618732929 CET | 49732 | 443 | 192.168.2.4 | 162.159.137.232 |
| Nov 28, 2020 10:31:07.635231018 CET | 443 | 49732 | 162.159.137.232 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.635396004 CET | 49732 | 443 | 192.168.2.4 | 162.159.137.232 |
| Nov 28, 2020 10:31:07.636028051 CET | 49732 | 443 | 192.168.2.4 | 162.159.137.232 |
| Nov 28, 2020 10:31:07.652529955 CET | 443 | 49732 | 162.159.137.232 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.652559996 CET | 443 | 49732 | 162.159.137.232 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.652657032 CET | 49732 | 443 | 192.168.2.4 | 162.159.137.232 |
| Nov 28, 2020 10:31:07.731426954 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:07.747754097 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.747883081 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:07.797060966 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:07.813452005 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.815418959 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.815448046 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.815462112 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.815733910 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:07.865027905 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:07.881252050 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:07.897581100 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.898933887 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.945055008 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.013133049 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.029519081 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057188988 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057210922 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057224035 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057240963 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057255030 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057267904 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057281017 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057291031 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057296991 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057316065 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057327986 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057341099 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057343960 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057358027 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057373047 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057403088 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057410002 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057410002 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057429075 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057446957 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057462931 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057463884 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057482004 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057499886 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057512999 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057518005 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057522058 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057531118 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057547092 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057565928 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057583094 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057595968 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057600975 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057609081 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057614088 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057631016 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057646036 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057662964 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057677984 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057678938 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057683945 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057698011 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057714939 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057729006 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057733059 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057734013 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057750940 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057765961 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057769060 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057784081 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057800055 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057815075 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057816982 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057835102 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057852983 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057856083 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057871103 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057887077 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057899952 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057900906 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057904005 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057917118 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057934999 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057939053 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057951927 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057971001 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.057986021 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.057991028 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.058003902 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.058007956 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.058027029 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.058043957 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.058054924 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.058062077 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.058079004 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
| Nov 28, 2020 10:31:08.058094025 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
| Nov 28, 2020 10:31:08.058094978 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 28, 2020 10:31:02.219085932 CET | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:02.246105909 CET | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.560221910 CET | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:07.587306976 CET | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:07.702680111 CET | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:07.729708910 CET | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:28.383827925 CET | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:28.411088943 CET | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:34.247920990 CET | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:35.273853064 CET | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:36.078322887 CET | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:36.241617918 CET | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:36.241916895 CET | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:36.242775917 CET | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:36.987870932 CET | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:37.014924049 CET | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:37.733671904 CET | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:37.769320965 CET | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:38.429485083 CET | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:38.456552982 CET | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:39.143574953 CET | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:39.170844078 CET | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:39.872354984 CET | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:39.910217047 CET | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:40.799295902 CET | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:40.826457024 CET | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:49.510163069 CET | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:49.546915054 CET | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:54.236198902 CET | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:54.279809952 CET | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:54.814912081 CET | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:54.868314981 CET | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:55.420306921 CET | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:55.455759048 CET | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:55.775741100 CET | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:55.811485052 CET | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:56.188901901 CET | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:56.224395037 CET | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:56.684010983 CET | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:56.719657898 CET | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:57.369980097 CET | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:57.407788992 CET | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:58.073167086 CET | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:58.108619928 CET | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:59.318715096 CET | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:59.354480982 CET | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:59.681447029 CET | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:59.717175961 CET | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:31:59.858293056 CET | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:31:59.909159899 CET | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:32:05.831170082 CET | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:32:05.868024111 CET | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:32:12.090886116 CET | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:32:12.117989063 CET | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:32:12.799681902 CET | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:32:12.826797962 CET | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:32:14.314152956 CET | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:32:14.341248989 CET | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:32:15.578613043 CET | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:32:15.605720043 CET | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:32:17.442347050 CET | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:32:17.477639914 CET | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:32:44.223612070 CET | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:32:44.250850916 CET | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
| Nov 28, 2020 10:32:45.968452930 CET | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
| Nov 28, 2020 10:32:46.004127026 CET | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Nov 28, 2020 10:31:07.560221910 CET | 192.168.2.4 | 8.8.8.8 | 0x6e3c | Standard query (0) | A (IP address) | IN (0x0001) | |
| Nov 28, 2020 10:31:07.702680111 CET | 192.168.2.4 | 8.8.8.8 | 0x3a8 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Nov 28, 2020 10:31:07.587306976 CET | 8.8.8.8 | 192.168.2.4 | 0x6e3c | No error (0) | 162.159.137.232 | A (IP address) | IN (0x0001) | ||
| Nov 28, 2020 10:31:07.587306976 CET | 8.8.8.8 | 192.168.2.4 | 0x6e3c | No error (0) | 162.159.136.232 | A (IP address) | IN (0x0001) | ||
| Nov 28, 2020 10:31:07.587306976 CET | 8.8.8.8 | 192.168.2.4 | 0x6e3c | No error (0) | 162.159.135.232 | A (IP address) | IN (0x0001) | ||
| Nov 28, 2020 10:31:07.587306976 CET | 8.8.8.8 | 192.168.2.4 | 0x6e3c | No error (0) | 162.159.128.233 | A (IP address) | IN (0x0001) | ||
| Nov 28, 2020 10:31:07.587306976 CET | 8.8.8.8 | 192.168.2.4 | 0x6e3c | No error (0) | 162.159.138.232 | A (IP address) | IN (0x0001) | ||
| Nov 28, 2020 10:31:07.729708910 CET | 8.8.8.8 | 192.168.2.4 | 0x3a8 | No error (0) | 162.159.135.233 | A (IP address) | IN (0x0001) | ||
| Nov 28, 2020 10:31:07.729708910 CET | 8.8.8.8 | 192.168.2.4 | 0x3a8 | No error (0) | 162.159.129.233 | A (IP address) | IN (0x0001) | ||
| Nov 28, 2020 10:31:07.729708910 CET | 8.8.8.8 | 192.168.2.4 | 0x3a8 | No error (0) | 162.159.133.233 | A (IP address) | IN (0x0001) | ||
| Nov 28, 2020 10:31:07.729708910 CET | 8.8.8.8 | 192.168.2.4 | 0x3a8 | No error (0) | 162.159.130.233 | A (IP address) | IN (0x0001) | ||
| Nov 28, 2020 10:31:07.729708910 CET | 8.8.8.8 | 192.168.2.4 | 0x3a8 | No error (0) | 162.159.134.233 | A (IP address) | IN (0x0001) |
HTTPS Packets |
|---|
| Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 28, 2020 10:31:07.815462112 CET | 162.159.135.233 | 443 | 192.168.2.4 | 49733 | CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB | Tue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004 | Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029 | 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0 | ce5f3254611a8c095a3d821d44539877 |
| CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Thu Sep 25 02:00:00 CEST 2014 | Tue Sep 25 01:59:59 CEST 2029 | |||||||
| CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB | Thu Jan 01 01:00:00 CET 2004 | Mon Jan 01 00:59:59 CET 2029 |
Code Manipulations |
|---|
Statistics |
|---|
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 10:31:05 |
| Start date: | 28/11/2020 |
| Path: | C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1218752 bytes |
| MD5 hash: | B3CB5B2BC5C3033B1008ED7F7F6312DB |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | low |
General |
|---|
| Start time: | 10:31:59 |
| Start date: | 28/11/2020 |
| Path: | C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1218752 bytes |
| MD5 hash: | B3CB5B2BC5C3033B1008ED7F7F6312DB |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|