Analysis Report executable.4420.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Compliance: |
---|
Uses 32bit PE files | Show sources |
Source: | Static PE information: |
Binary contains paths to debug symbols | Show sources |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | API coverage: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Native API1 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | System Time Discovery11 | Remote Services | Clipboard Data2 | Exfiltration Over Alternative Protocol1 | Ingress Tool Transfer11 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection1 | LSASS Memory | Query Registry1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Deobfuscate/Decode Files or Information1 | Security Account Manager | Security Software Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | Process Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Account Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Owner/User Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | Remote System Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | File and Directory Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | System Information Discovery3 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
74% | ReversingLabs | Win32.Spyware.Perfect | ||
100% | Avira | HEUR/AGEN.1112545 | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1112545 | Download File | ||
100% | Avira | HEUR/AGEN.1112545 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 356831 |
Start date: | 23.02.2021 |
Start time: | 17:32:10 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 32s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | executable.4420.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 20 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal60.winEXE@2/4@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
17:33:15 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11726 |
Entropy (8bit): | 3.769916385992574 |
Encrypted: | false |
SSDEEP: | 192:tJknh75BgH/UJuLVe7jBrPAz/u7sWS274ItMP1F:bMw/UJuLcjKz/u7sWX4It0F |
MD5: | 0C01155023A36D9E2DAB66E877103554 |
SHA1: | 489051F8E0DB7A7AE8F00A4E4DCC53BF37E929F0 |
SHA-256: | D267EC28890985E2A14E447F22A79DDC147396886D78F9BEE3F72649BBF500FB |
SHA-512: | 9AA05053FF62920D4F2732F48FC5D7467B48A16C18FB8C5B19D0C3DD10A593C7DA1F459B57748ACB60EC9D37F7401A902A82CDA937CF8DC9D1DCA4D8269B545E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1085526 |
Entropy (8bit): | 1.2210534980162013 |
Encrypted: | false |
SSDEEP: | 1536:VcpPfIY/EnrIqBkTiRcO3kkP3nFHBjf2rLk/p17:EgY/tEksVxMrLG7 |
MD5: | 9EA8D8935DD62708B6F7A878CD221E88 |
SHA1: | 999D1845B7B1D709ED65F7DE307E1D26D8168202 |
SHA-256: | 6B3D0461EF3C94BE23362456530AF2703A71753E66390AA1D6B051C3A8308066 |
SHA-512: | CFD1974D3A8D4280AF8BCE8BA28A605488E27F819A086C535526AB1BD5A8F35E6D03137F9E2B0A2F88A66505C574FA4B2B326E386EEC7C9C83693606FB134BF7 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8316 |
Entropy (8bit): | 3.6945173129731437 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNixWA6JB2T6YrpSUwW8/gmfXlZS/LM+pD089bKbKsfNkkjm:RrlsNin6v2T6YlSUwWUgmfLS/LZKbpfk |
MD5: | 1FCC27E2DD05A24687AC7AF559479613 |
SHA1: | 161D62CBD1DA5B6AD0B8469B6CDFF5DE3FB6656D |
SHA-256: | A3295E86AF60BE69C6DDFA7961E2EA4CA8153201008146D6A1AA5CFCE435D3BB |
SHA-512: | D72CD49A3BED6214C6FB9E597C0375D3DF726A5094E826353E6F5C329C046AFB88D98357B18CC354EADC375189B134B5EE667B3A6DE6D80EA1A7938A39861BC3 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4597 |
Entropy (8bit): | 4.455068962408137 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsZJgtWI9JUkWSC8Bh8fm8M4JSHd8lFr+q8r3Y7wFUHjTd:uITfruU9SN4JS98Lq3+w+HjTd |
MD5: | 3C9F716FF3820EC27E2BF1DA7EA405D0 |
SHA1: | 1F64446E6CB07224DDB7B6A3C9D6147816623211 |
SHA-256: | 09570CC72E66EF66B1635A9BCC109BFF750049B603A673CCB74F7810B3F9C914 |
SHA-512: | 0EF9AEEAE7120A5302C7493137F31F8E1EAAF7B9AB793A6098DB7EAC068192DA302A32A0BC39002CEF5C02F776E862D86C24D27448C429C6B176D2EC68CBADC0 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 3.300468788976393 |
TrID: |
|
File name: | executable.4420.exe |
File size: | 438272 |
MD5: | 6192cfbe8e44360f7c0b6f696206f41d |
SHA1: | 166886066ffabb76f6b72c4b4ed91fa19e59987a |
SHA256: | 8e353600579959f0507d00376d2e56e8c9a24648b2574ee72fa81dec5d70874a |
SHA512: | d492b9ea094bd6e695a562a855587feaf793be0cb35cf28df681a0022a8e0139a222a68bd578fb65b125fe9fea86f1f596bf337e65a445e8a5286d95ae037857 |
SSDEEP: | 3072:U+NvJwwbI7mZgauugh+KsvkfGDLNj58E2wL6uEXKIwjwxhfgtRlh:9swbYmZgarrKsvVDR5POuE6Iwqf4 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u....R...R...R.].R...R.c.R...R.]>R...R.\.R...R.`.R...R\c.R...R.`.R...R.`.R...R.Y.R...R...R.}.R%\.R...R...R...R.Y.R...R.y.R... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x43e7ae |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x47299316 [Thu Nov 1 08:49:26 2007 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 4dc9b0b4e019be52f23cc9a3c195910d |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 0044A588h |
push 0043E91Eh |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
sub esp, 68h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-18h], esp |
xor ebx, ebx |
mov dword ptr [ebp-04h], ebx |
push 00000002h |
call dword ptr [00444824h] |
pop ecx |
or dword ptr [00455C18h], FFFFFFFFh |
or dword ptr [00455C1Ch], FFFFFFFFh |
call dword ptr [004447B4h] |
mov ecx, dword ptr [00455BF8h] |
mov dword ptr [eax], ecx |
call dword ptr [00444754h] |
mov ecx, dword ptr [00455BF4h] |
mov dword ptr [eax], ecx |
mov eax, dword ptr [00444758h] |
mov eax, dword ptr [eax] |
mov dword ptr [00455C14h], eax |
call 00007F7478743040h |
cmp dword ptr [004550A0h], ebx |
jne 00007F747876CACEh |
push 0043E948h |
call dword ptr [0044475Ch] |
pop ecx |
call 00007F747876CBC5h |
push 00453078h |
push 00453074h |
call 00007F747876CBB0h |
mov eax, dword ptr [00455BF0h] |
mov dword ptr [ebp-6Ch], eax |
lea eax, dword ptr [ebp-6Ch] |
push eax |
push dword ptr [00455BECh] |
lea eax, dword ptr [ebp-64h] |
push eax |
lea eax, dword ptr [ebp-70h] |
push eax |
lea eax, dword ptr [ebp-60h] |
push eax |
call dword ptr [00444764h] |
push 00453070h |
push 00453000h |
call 00007F747876CB7Dh |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x50b58 | 0x154 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x56000 | 0x14cf8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x44000 | 0xaa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x42469 | 0x43000 | False | 0.261452746035 | COM executable for DOS | 3.69971850757 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x44000 | 0xeb80 | 0xf000 | False | 0.221451822917 | data | 3.38138099515 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x53000 | 0x2c20 | 0x3000 | False | 0.368815104167 | data | 4.63470137622 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x56000 | 0x14cf8 | 0x15000 | False | 0.0564778645833 | data | 0.900735057676 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Imports |
---|
DLL | Import |
---|---|
WININET.dll | FtpPutFileA, InternetConnectA, FtpSetCurrentDirectoryA, FtpCreateDirectoryA, InternetOpenA, InternetGetConnectedState, InternetCloseHandle |
MFC42.DLL | |
MSVCRT.dll | __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ?terminate@@YAXXZ, _except_handler3, _onexit, __dllonexit, ??1type_info@@UAE@XZ, getenv, strrchr, atoi, _ftol, time, difftime, fabs, floor, strcat, srand, __p__fmode, _stricmp, fopen, fwrite, fclose, strchr, memmove, strncpy, setlocale, isspace, _splitpath, _makepath, strcpy, _strlwr, strstr, wcscmp, strcmp, strncmp, malloc, free, sscanf, strlen, sprintf, _purecall, _CxxThrowException, memcpy, memset, __CxxFrameHandler, __set_app_type, rand, _itoa, wcslen, _setmbcp, _controlfp |
KERNEL32.dll | CloseHandle, FlushViewOfFile, ReleaseMutex, WaitForSingleObject, CreateFileMappingA, MapViewOfFile, CreateMutexA, CreateFileA, DeviceIoControl, GetFileSize, MulDiv, lstrlenA, lstrcmpA, lstrcpynA, GlobalReAlloc, GlobalHandle, UnmapViewOfFile, LoadResource, LockResource, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, FindFirstFileA, GetComputerNameA, GetDateFormatA, GetTimeFormatA, GetVersionExA, OpenProcess, GetCurrentThreadId, WideCharToMultiByte, lstrlenW, MultiByteToWideChar, SetCurrentDirectoryA, SetFileTime, GetSystemTime, GetStartupInfoA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeLibrary, lstrcpyA, ReadFile, WriteFile, lstrcmpiA, DeleteFileA, GetTimeZoneInformation, SetLastError, Sleep, GetTickCount, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, FileTimeToSystemTime, SetFilePointer, GetFileInformationByHandle, SystemTimeToFileTime, GetLocalTime, CreateProcessA, lstrcatA, EnumResourceNamesA, CopyFileA, GetTempFileNameA, GetTempPathA, LocalFree, FormatMessageA, GetLastError, SizeofResource, RemoveDirectoryA, MoveFileA, CreateDirectoryA, GetSystemDirectoryA, GetModuleFileNameA, GetModuleHandleA, ExpandEnvironmentStringsA, GetCurrentProcessId, FindClose, FindResourceA, FindNextFileA |
USER32.dll | GetDlgItemInt, GetDlgItemTextA, MessageBoxA, SetForegroundWindow, FindWindowA, GetWindowTextA, SetClipboardViewer, PostQuitMessage, ChangeClipboardChain, SetMenuDefaultItem, EnableMenuItem, wsprintfA, RegisterHotKey, UnregisterHotKey, LoadImageA, FillRect, DrawTextA, PtInRect, CharLowerA, GetWindowThreadProcessId, AttachThreadInput, CloseClipboard, GetClipboardData, OpenClipboard, IsClipboardFormatAvailable, IsWindowUnicode, LoadStringA, CharUpperBuffA, RedrawWindow, SetWindowLongA, InvalidateRect, MessageBeep, GetDlgCtrlID, DdeFreeStringHandle, IsWindowVisible, GetClassNameA, SendMessageTimeoutA, IsWindow, RegisterWindowMessageA, FindWindowExA, DestroyIcon, AppendMenuA, GetMenuItemCount, GetMenuItemInfoA, GetSubMenu, DrawFrameControl, OffsetRect, DrawIconEx, DrawEdge, GetSystemMetrics, SystemParametersInfoA, GetKeyboardLayout, MapVirtualKeyExA, MapVirtualKeyA, GetKeyNameTextA, EnumChildWindows, GetWindowLongA, IsDlgButtonChecked, GetForegroundWindow, PostMessageA, DdeClientTransaction, DdeGetData, GetSysColor, GetCursorPos, WindowFromPoint, GetCapture, GetWindowRect, GetFocus, InflateRect, CopyRect, DrawFocusRect, SetTimer, GetParent, GetWindowTextLengthA, GetNextDlgTabItem, SetFocus, GetDlgItem, CreatePopupMenu, CheckMenuItem, DdeCreateStringHandleA, GetKeyboardLayoutList, DdeConnect, SendMessageA, EnableWindow, GetDesktopWindow, GetDC, ReleaseDC, DdeFreeDataHandle, DdeDisconnect, DdeInitializeA, DdeUninitialize, KillTimer, DefWindowProcA, IsChild, LoadIconA, SetCursor, LoadCursorA, GetKeyboardLayoutNameA, GetClientRect |
GDI32.dll | BitBlt, SelectObject, CreateCompatibleDC, CreatePen, CreateFontIndirectA, Rectangle, GetTextColor, CreateFontA, GetDIBits, CreateCompatibleBitmap, GetTextExtentPoint32A, CreateSolidBrush, SetTextColor, SetBkMode, DeleteDC, CreateDCA, GetStockObject, GetPaletteEntries, GetObjectA, CreateDIBitmap, CreatePalette, RealizePalette, PatBlt, DeleteObject, CreateBitmap |
comdlg32.dll | GetOpenFileNameA |
ADVAPI32.dll | RegOpenKeyA, RegSetValueExA, RegCreateKeyA, RegQueryValueExA, RegQueryValueA, RegDeleteValueA, RegCloseKey, RegDeleteKeyA, GetUserNameA, RegOpenKeyExA |
SHELL32.dll | Shell_NotifyIconA, SHBrowseForFolderA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHFileOperationA, ShellExecuteA, ExtractIconExA |
COMCTL32.dll | ImageList_Remove, ImageList_GetImageCount, ImageList_ReplaceIcon, InitCommonControlsEx |
ole32.dll | CoUninitialize, CoInitialize, CoCreateInstance, CoFreeUnusedLibraries |
OLEAUT32.dll | SysStringLen, VariantInit, VariantClear, SysAllocString, SysFreeString |
urlmon.dll | URLDownloadToFileA |
WSOCK32.dll | send, recv, closesocket, select, connect, WSACleanup, ntohl, WSAStartup, htons, ioctlsocket, gethostbyname, bind, WSASetLastError, socket, gethostname |
MSVCP60.dll | ??0_Lockit@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ |
RPCRT4.dll | UuidCreate, UuidToStringA, RpcStringFreeA |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 23, 2021 17:32:52.835212946 CET | 65298 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:32:52.892349958 CET | 53 | 65298 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:32:53.247808933 CET | 59123 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:32:53.310240030 CET | 53 | 59123 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:32:53.459800005 CET | 54531 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:32:53.501657009 CET | 49714 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:32:53.511421919 CET | 53 | 54531 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:32:53.550204992 CET | 53 | 49714 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:32:53.868103981 CET | 58028 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:32:53.931855917 CET | 53 | 58028 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:32:54.423717022 CET | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:32:54.475142956 CET | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:32:56.360182047 CET | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:32:56.408806086 CET | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:32:57.325617075 CET | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:32:57.378972054 CET | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:32:58.483364105 CET | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:32:58.540673971 CET | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:32:59.432522058 CET | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:32:59.494601011 CET | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:00.290999889 CET | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:00.342525005 CET | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:01.303342104 CET | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:01.352052927 CET | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:02.506978035 CET | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:02.557471037 CET | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:03.713850975 CET | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:03.775391102 CET | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:04.744421959 CET | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:04.797744036 CET | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:05.863677979 CET | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:05.912419081 CET | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:06.794970989 CET | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:06.843676090 CET | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:10.461750031 CET | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:10.513417959 CET | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:16.179717064 CET | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:16.230974913 CET | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:17.899775982 CET | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:17.948786020 CET | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:19.083235025 CET | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:19.136178017 CET | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:20.078944921 CET | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:20.127528906 CET | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:20.877273083 CET | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:20.926132917 CET | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:23.138626099 CET | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:23.190361977 CET | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:41.258702993 CET | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:41.352114916 CET | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:42.016740084 CET | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:42.092366934 CET | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:42.684490919 CET | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:42.741871119 CET | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:43.155957937 CET | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:43.216820955 CET | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:43.228245020 CET | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:43.279541016 CET | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:43.878380060 CET | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:43.935725927 CET | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:44.499895096 CET | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:44.557358980 CET | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:45.146218061 CET | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:45.236953974 CET | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:46.009835958 CET | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:46.068258047 CET | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:47.718394041 CET | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:47.776036024 CET | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:48.074347019 CET | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:48.138317108 CET | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:48.232470036 CET | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:48.281176090 CET | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:48.281677008 CET | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:48.330260992 CET | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:58.637748957 CET | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:58.700093985 CET | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:33:58.980968952 CET | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:33:59.045989037 CET | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:34:03.480015993 CET | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:34:03.543883085 CET | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:34:32.999061108 CET | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:34:33.050477982 CET | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
Feb 23, 2021 17:34:34.592492104 CET | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
Feb 23, 2021 17:34:34.650958061 CET | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 17:33:00 |
Start date: | 23/02/2021 |
Path: | C:\Users\user\Desktop\executable.4420.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 438272 bytes |
MD5 hash: | 6192CFBE8E44360F7C0B6F696206F41D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 17:33:02 |
Start date: | 23/02/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3c0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|