Analysis Report PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Overview
General Information
Detection
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 4 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary: |
---|
Initial sample is a PE file and has a suspicious name | Show sources |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: |
Source: | Classification label: |
Source: | Code function: |
Source: | Code function: |
Source: | Command line argument: | ||
Source: | Command line argument: | ||
Source: | Command line argument: |
Source: | Key opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
Source: | Section loaded: |
Source: | WMI Queries: |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Window detected: |
Source: | Static file information: |
Source: | Binary string: |
Data Obfuscation: |
---|
Detected unpacking (changes PE section rights) | Show sources |
Source: | Unpacked PE file: |
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File created: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Source: | Code function: |
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep count: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep count: | ||
Source: | Thread sleep count: |
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Process token adjusted: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Injects a PE file into a foreign processes | Show sources |
Source: | Memory written: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | DLL Side-Loading1 | Process Injection112 | Virtualization/Sandbox Evasion13 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Command and Scripting Interpreter2 | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Disable or Modify Tools1 | LSASS Memory | Query Registry1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Native API1 | Logon Script (Windows) | Logon Script (Windows) | Process Injection112 | Security Account Manager | Security Software Discovery141 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Deobfuscate/Decode Files or Information1 | NTDS | Virtualization/Sandbox Evasion13 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information2 | LSA Secrets | Process Discovery3 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing21 | Cached Domain Credentials | Application Window Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | DLL Side-Loading1 | DCSync | Account Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | System Owner/User Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | Remote System Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | System Information Discovery124 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
56% | ReversingLabs | Win32.Infostealer.Fareit | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Dropper.Gen | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
discord.com | 162.159.137.232 | true | false | unknown | |
cdn.discordapp.com | 162.159.135.233 | true | false | high |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
162.159.137.232 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
162.159.135.233 | unknown | United States | 13335 | CLOUDFLARENETUS | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 324081 |
Start date: | 28.11.2020 |
Start time: | 10:30:16 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 3s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 19 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal92.troj.evad.winEXE@3/0@2/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
10:31:06 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
162.159.137.232 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
162.159.135.233 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
discord.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
cdn.discordapp.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ce5f3254611a8c095a3d821d44539877 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.110241254206797 |
TrID: |
|
File name: | PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe |
File size: | 1218752 |
MD5: | b3cb5b2bc5c3033b1008ed7f7f6312db |
SHA1: | 3fd8e55a12bdf35200ee43e210951825ad0293d3 |
SHA256: | 042ef647920e37e8da471c1bfbc36490ee6bf93ceee75cd90161823ae74d458b |
SHA512: | 3724f52089d06f1260f1b6c0ddf73326d44e5b16a12fc99b868c831e481b1edab29fac4695f64e222679d936789455f6c2ce38e5cdfc595d73352faafd321836 |
SSDEEP: | 24576:3RVtvQ+csIDccuZGhe1ppCmfwybRm8zQKtALblKCeNRbO+v:3R/ovVcOM1pJwYFzQ0t |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
File Icon |
---|
Icon Hash: | b2989692969ed26a |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x47f698 |
Entrypoint Section: | CODE |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, UP_SYSTEM_ONLY, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 191f8035b5c11d5de8fd20cfdada0df2 |
Authenticode Signature |
---|
Signature Valid: | false |
Signature Issuer: | CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 3B66EDDAB891B79FEDB150AC2C59DB3A |
Thumbprint SHA-1: | 98ED99A67886D020C564923B7DF25E9AC019DF26 |
Thumbprint SHA-256: | 57DD481BF26C0A55C3E867B2D6C6978BEAF5CE3509325CA2607D853F9349A9FF |
Serial: | 330000014096A9EE7056FECC07000100000140 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFF0h |
mov eax, 0047F418h |
call 00007F07A4909C35h |
push 0000001Eh |
pop ebx |
push eax |
mov eax, dword ptr [00481FE8h] |
mov eax, dword ptr [eax] |
call 00007F07A4960A39h |
mov eax, dword ptr [00481FE8h] |
mov eax, dword ptr [eax] |
mov edx, 0047F708h |
call 00007F07A4960628h |
mov ecx, dword ptr [00481F6Ch] |
mov eax, dword ptr [00481FE8h] |
mov eax, dword ptr [eax] |
mov edx, dword ptr [0047EF20h] |
call 00007F07A4960A28h |
mov eax, dword ptr [00481FE8h] |
mov eax, dword ptr [eax] |
mov byte ptr [eax+5Bh], 00000000h |
mov eax, dword ptr [00481FE8h] |
mov eax, dword ptr [eax] |
call 00007F07A4960A91h |
call 00007F07A4907724h |
add byte ptr [eax], al |
add bh, bh |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x85000 | 0x24ca | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x93000 | 0x97c00 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x124400 | 0x54c0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8a000 | 0x8f34 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x89000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
CODE | 0x1000 | 0x7e714 | 0x7e800 | False | 0.523837002841 | data | 6.52444996172 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
DATA | 0x80000 | 0x219c | 0x2200 | False | 0.390969669118 | data | 4.54957969266 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
BSS | 0x83000 | 0x1135 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.idata | 0x85000 | 0x24ca | 0x2600 | False | 0.354851973684 | data | 4.81311536495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.tls | 0x88000 | 0x40 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rdata | 0x89000 | 0x18 | 0x200 | False | 0.05078125 | data | 0.184150656087 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.reloc | 0x8a000 | 0x8f34 | 0x9000 | False | 0.559760199653 | data | 6.63092268857 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x93000 | 0x97c00 | 0x97c00 | False | 0.509374678233 | data | 6.97981181424 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_CURSOR | 0x93c0c | 0x134 | data | ||
RT_CURSOR | 0x93d40 | 0x134 | data | ||
RT_CURSOR | 0x93e74 | 0x134 | data | ||
RT_CURSOR | 0x93fa8 | 0x134 | data | ||
RT_CURSOR | 0x940dc | 0x134 | data | ||
RT_CURSOR | 0x94210 | 0x134 | data | ||
RT_CURSOR | 0x94344 | 0x134 | data | ||
RT_BITMAP | 0x94478 | 0x1d0 | data | ||
RT_BITMAP | 0x94648 | 0x1e4 | data | ||
RT_BITMAP | 0x9482c | 0x1d0 | data | ||
RT_BITMAP | 0x949fc | 0x1d0 | data | ||
RT_BITMAP | 0x94bcc | 0x1d0 | data | ||
RT_BITMAP | 0x94d9c | 0x1d0 | data | ||
RT_BITMAP | 0x94f6c | 0x1d0 | data | ||
RT_BITMAP | 0x9513c | 0x1d0 | data | ||
RT_BITMAP | 0x9530c | 0x1d0 | data | ||
RT_BITMAP | 0x954dc | 0x1d0 | data | ||
RT_BITMAP | 0x956ac | 0xe8 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0x95794 | 0x10a8 | data | English | United States |
RT_ICON | 0x9683c | 0x25a8 | data | English | United States |
RT_ICON | 0x98de4 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 240, next used block 251658240 | English | United States |
RT_ICON | 0x9d00c | 0x5488 | data | English | United States |
RT_ICON | 0xa2494 | 0xac5c | data | English | United States |
RT_DIALOG | 0xad0f0 | 0x52 | data | ||
RT_STRING | 0xad144 | 0x314 | data | ||
RT_STRING | 0xad458 | 0x1dc | data | ||
RT_STRING | 0xad634 | 0x154 | data | ||
RT_STRING | 0xad788 | 0x3a4 | data | ||
RT_STRING | 0xadb2c | 0x4bc | data | ||
RT_STRING | 0xadfe8 | 0xc0 | data | ||
RT_STRING | 0xae0a8 | 0xfc | data | ||
RT_STRING | 0xae1a4 | 0x120 | data | ||
RT_STRING | 0xae2c4 | 0x4c0 | data | ||
RT_STRING | 0xae784 | 0x350 | data | ||
RT_STRING | 0xaead4 | 0x39c | data | ||
RT_STRING | 0xaee70 | 0x3b0 | data | ||
RT_STRING | 0xaf220 | 0xf0 | data | ||
RT_STRING | 0xaf310 | 0xc0 | data | ||
RT_STRING | 0xaf3d0 | 0x2d8 | data | ||
RT_STRING | 0xaf6a8 | 0x494 | data | ||
RT_STRING | 0xafb3c | 0x3ac | data | ||
RT_STRING | 0xafee8 | 0x2d4 | data | ||
RT_RCDATA | 0xb01bc | 0x10 | data | ||
RT_RCDATA | 0xb01cc | 0x350 | data | ||
RT_RCDATA | 0xb051c | 0x7859a | GIF image data, version 89a, 577 x 188 | English | United States |
RT_RCDATA | 0x128ab8 | 0x1f39 | Delphi compiled form 'T__882643936' | ||
RT_GROUP_CURSOR | 0x12a9f4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
RT_GROUP_CURSOR | 0x12aa08 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
RT_GROUP_CURSOR | 0x12aa1c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
RT_GROUP_CURSOR | 0x12aa30 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
RT_GROUP_CURSOR | 0x12aa44 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
RT_GROUP_CURSOR | 0x12aa58 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
RT_GROUP_CURSOR | 0x12aa6c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | ||
RT_GROUP_ICON | 0x12aa80 | 0x4c | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle |
user32.dll | GetKeyboardType, LoadStringA, MessageBoxA, CharNextA |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey |
oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
kernel32.dll | TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey |
kernel32.dll | lstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle |
version.dll | VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA |
gdi32.dll | UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetROP2, GetPolyFillMode, GetPixelFormat, GetPixel, GetPaletteEntries, GetObjectA, GetMapMode, GetGraphicsMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetDCPenColor, GetDCBrushColor, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt |
user32.dll | CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, ShowCaret, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawStateA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout |
kernel32.dll | Sleep |
oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit |
ole32.dll | CoUninitialize, CoInitialize |
oleaut32.dll | GetErrorInfo, SysFreeString |
comctl32.dll | ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create |
shell32.dll | ShellExecuteA |
winmm.dll | sndPlaySoundA |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 28, 2020 10:31:07.618732929 CET | 49732 | 443 | 192.168.2.4 | 162.159.137.232 |
Nov 28, 2020 10:31:07.635231018 CET | 443 | 49732 | 162.159.137.232 | 192.168.2.4 |
Nov 28, 2020 10:31:07.635396004 CET | 49732 | 443 | 192.168.2.4 | 162.159.137.232 |
Nov 28, 2020 10:31:07.636028051 CET | 49732 | 443 | 192.168.2.4 | 162.159.137.232 |
Nov 28, 2020 10:31:07.652529955 CET | 443 | 49732 | 162.159.137.232 | 192.168.2.4 |
Nov 28, 2020 10:31:07.652559996 CET | 443 | 49732 | 162.159.137.232 | 192.168.2.4 |
Nov 28, 2020 10:31:07.652657032 CET | 49732 | 443 | 192.168.2.4 | 162.159.137.232 |
Nov 28, 2020 10:31:07.731426954 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:07.747754097 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:07.747883081 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:07.797060966 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:07.813452005 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:07.815418959 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:07.815448046 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:07.815462112 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:07.815733910 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:07.865027905 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:07.881252050 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:07.897581100 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:07.898933887 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:07.945055008 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.013133049 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.029519081 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057188988 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057210922 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057224035 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057240963 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057255030 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057267904 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057281017 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057291031 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057296991 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057316065 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057327986 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057341099 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057343960 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057358027 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057373047 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057403088 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057410002 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057410002 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057429075 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057446957 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057462931 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057463884 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057482004 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057499886 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057512999 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057518005 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057522058 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057531118 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057547092 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057565928 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057583094 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057595968 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057600975 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057609081 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057614088 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057631016 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057646036 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057662964 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057677984 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057678938 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057683945 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057698011 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057714939 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057729006 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057733059 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057734013 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057750940 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057765961 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057769060 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057784081 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057800055 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057815075 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057816982 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057835102 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057852983 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057856083 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057871103 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057887077 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057899952 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057900906 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057904005 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057917118 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057934999 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057939053 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057951927 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057971001 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.057986021 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.057991028 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.058003902 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.058007956 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.058027029 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.058043957 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.058054924 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.058062077 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.058079004 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
Nov 28, 2020 10:31:08.058094025 CET | 49733 | 443 | 192.168.2.4 | 162.159.135.233 |
Nov 28, 2020 10:31:08.058094978 CET | 443 | 49733 | 162.159.135.233 | 192.168.2.4 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 28, 2020 10:31:02.219085932 CET | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:02.246105909 CET | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:07.560221910 CET | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:07.587306976 CET | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:07.702680111 CET | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:07.729708910 CET | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:28.383827925 CET | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:28.411088943 CET | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:34.247920990 CET | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:35.273853064 CET | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:36.078322887 CET | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:36.241617918 CET | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:36.241916895 CET | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:36.242775917 CET | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:36.987870932 CET | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:37.014924049 CET | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:37.733671904 CET | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:37.769320965 CET | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:38.429485083 CET | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:38.456552982 CET | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:39.143574953 CET | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:39.170844078 CET | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:39.872354984 CET | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:39.910217047 CET | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:40.799295902 CET | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:40.826457024 CET | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:49.510163069 CET | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:49.546915054 CET | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:54.236198902 CET | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:54.279809952 CET | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:54.814912081 CET | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:54.868314981 CET | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:55.420306921 CET | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:55.455759048 CET | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:55.775741100 CET | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:55.811485052 CET | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:56.188901901 CET | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:56.224395037 CET | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:56.684010983 CET | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:56.719657898 CET | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:57.369980097 CET | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:57.407788992 CET | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:58.073167086 CET | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:58.108619928 CET | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:59.318715096 CET | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:59.354480982 CET | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:59.681447029 CET | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:59.717175961 CET | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:31:59.858293056 CET | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:31:59.909159899 CET | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:32:05.831170082 CET | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:32:05.868024111 CET | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:32:12.090886116 CET | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:32:12.117989063 CET | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:32:12.799681902 CET | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:32:12.826797962 CET | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:32:14.314152956 CET | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:32:14.341248989 CET | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:32:15.578613043 CET | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:32:15.605720043 CET | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:32:17.442347050 CET | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:32:17.477639914 CET | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:32:44.223612070 CET | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:32:44.250850916 CET | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
Nov 28, 2020 10:32:45.968452930 CET | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
Nov 28, 2020 10:32:46.004127026 CET | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Nov 28, 2020 10:31:07.560221910 CET | 192.168.2.4 | 8.8.8.8 | 0x6e3c | Standard query (0) | A (IP address) | IN (0x0001) | |
Nov 28, 2020 10:31:07.702680111 CET | 192.168.2.4 | 8.8.8.8 | 0x3a8 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Nov 28, 2020 10:31:07.587306976 CET | 8.8.8.8 | 192.168.2.4 | 0x6e3c | No error (0) | 162.159.137.232 | A (IP address) | IN (0x0001) | ||
Nov 28, 2020 10:31:07.587306976 CET | 8.8.8.8 | 192.168.2.4 | 0x6e3c | No error (0) | 162.159.136.232 | A (IP address) | IN (0x0001) | ||
Nov 28, 2020 10:31:07.587306976 CET | 8.8.8.8 | 192.168.2.4 | 0x6e3c | No error (0) | 162.159.135.232 | A (IP address) | IN (0x0001) | ||
Nov 28, 2020 10:31:07.587306976 CET | 8.8.8.8 | 192.168.2.4 | 0x6e3c | No error (0) | 162.159.128.233 | A (IP address) | IN (0x0001) | ||
Nov 28, 2020 10:31:07.587306976 CET | 8.8.8.8 | 192.168.2.4 | 0x6e3c | No error (0) | 162.159.138.232 | A (IP address) | IN (0x0001) | ||
Nov 28, 2020 10:31:07.729708910 CET | 8.8.8.8 | 192.168.2.4 | 0x3a8 | No error (0) | 162.159.135.233 | A (IP address) | IN (0x0001) | ||
Nov 28, 2020 10:31:07.729708910 CET | 8.8.8.8 | 192.168.2.4 | 0x3a8 | No error (0) | 162.159.129.233 | A (IP address) | IN (0x0001) | ||
Nov 28, 2020 10:31:07.729708910 CET | 8.8.8.8 | 192.168.2.4 | 0x3a8 | No error (0) | 162.159.133.233 | A (IP address) | IN (0x0001) | ||
Nov 28, 2020 10:31:07.729708910 CET | 8.8.8.8 | 192.168.2.4 | 0x3a8 | No error (0) | 162.159.130.233 | A (IP address) | IN (0x0001) | ||
Nov 28, 2020 10:31:07.729708910 CET | 8.8.8.8 | 192.168.2.4 | 0x3a8 | No error (0) | 162.159.134.233 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Nov 28, 2020 10:31:07.815462112 CET | 162.159.135.233 | 443 | 192.168.2.4 | 49733 | CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB | Tue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004 | Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029 | 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0 | ce5f3254611a8c095a3d821d44539877 |
CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Thu Sep 25 02:00:00 CEST 2014 | Tue Sep 25 01:59:59 CEST 2029 | |||||||
CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB | Thu Jan 01 01:00:00 CET 2004 | Mon Jan 01 00:59:59 CET 2029 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 10:31:05 |
Start date: | 28/11/2020 |
Path: | C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1218752 bytes |
MD5 hash: | B3CB5B2BC5C3033B1008ED7F7F6312DB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
General |
---|
Start time: | 10:31:59 |
Start date: | 28/11/2020 |
Path: | C:\Users\user\Desktop\PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1218752 bytes |
MD5 hash: | B3CB5B2BC5C3033B1008ED7F7F6312DB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|