Analysis Report executable.4420.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Compliance: |
---|
Uses 32bit PE files | Show sources |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | API coverage: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Native API1 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | System Time Discovery11 | Remote Services | Clipboard Data2 | Exfiltration Over Alternative Protocol1 | Ingress Tool Transfer11 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection1 | LSASS Memory | Query Registry1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Deobfuscate/Decode Files or Information1 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | Account Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | System Owner/User Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | File and Directory Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | System Information Discovery3 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
74% | ReversingLabs | Win32.Spyware.Perfect | ||
100% | Avira | HEUR/AGEN.1112545 | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1112545 | Download File | ||
100% | Avira | HEUR/AGEN.1112545 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 356831 |
Start date: | 23.02.2021 |
Start time: | 17:38:41 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 24s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | executable.4420.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 34 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal60.winEXE@2/4@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11694 |
Entropy (8bit): | 3.7672748277627535 |
Encrypted: | false |
SSDEEP: | 192:h/5h7gBgH/UJuLl+7jpLPAz/u7ssS274ItM/1c:tz/UJuLcjCz/u7ssX4It0c |
MD5: | 7A55A9DC34D7C94401B8ED3160BA0C72 |
SHA1: | F4AE306D576E833E6A99A8363306C07D9DD76A06 |
SHA-256: | 35E4069BB231E06A148487DCAC11D00BE8A891927E7CC072221A7056F001F51C |
SHA-512: | 9B3C9B7EA90710D5C183686C7CB6977E33357DE869B25ED2D18182B7F94D65BE3CBD209640AE7837043826B243424205AF3939D4D7704BB80C276E5AF9D212E8 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1080022 |
Entropy (8bit): | 1.2269964489942033 |
Encrypted: | false |
SSDEEP: | 3072:eS293HEp5CUPF0iJTiSQCidYakBWg+vSsThybQv:eS29X65CUPF0iJTiSQCidYakEg+v9Qbm |
MD5: | B9A9BEE69F8163C259E82977694A384E |
SHA1: | 500E77B794EB34E6B0A50D43FA8D767CE220D611 |
SHA-256: | EF357D66AA69B8ECAE3AA51BA7FF633B2C709DB23F74EEA1FC236F6C60018722 |
SHA-512: | 018C33E5506E918DF09B1F4859D22AB2D97D5D3A53F85A0736CD1BDADA2C64CDD87862BDBD7158FDF6749D7744CA220BF54C595B2521C6ECADECC955DB9CC61B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8320 |
Entropy (8bit): | 3.693017369135634 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiUWV68nw6YSeSUh2sLgmfXlZS/LNCpDs89bXnisf79m:RrlsNiV68nw6YbSUh2ogmfLS/LsXnhfM |
MD5: | C9E60060870D3B974BE4AFC5F943DBB3 |
SHA1: | 66BFC2EE917214F25A0C603029918D30BCB8913F |
SHA-256: | 918D1EE2E7E2C757290948589858F1515FAC4E694A7236A4D155E0CD1971CE61 |
SHA-512: | AE855276116DCF22E25C23D3D800C4F974AC71C6A2C2AF10EEA556FC4D3F3F3D1413890BCD796B556B9A9DDEB0A5980F88DCEC3FB2C6AF56BAA568AFF42FEFCB |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4597 |
Entropy (8bit): | 4.461112344435761 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsjtJgtWI9LrWSC8BT8fm8M4JSHd8lFb+q8r3Y70UHj+d:uITfjHYaSNyJS987q3+DHj+d |
MD5: | 5D91C01CE7A87CC544F3B72FE1EB4DD3 |
SHA1: | 5E7E5241C6400239CB4406316B6AF0FE2FF95FF4 |
SHA-256: | E6BA6B6FBB2687EBA4F1DEE10D64EE7B7AB566032F570DB75477951426E4CA36 |
SHA-512: | 99990EB14ED48B65E833CF3F67CE36E24912B5DBE627BE1AC8340D8BB7970D10593D05634FE7290EACE6311B042C2690EB720E197B5786DA8057BDDDD2E596F7 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 3.300468788976393 |
TrID: |
|
File name: | executable.4420.exe |
File size: | 438272 |
MD5: | 6192cfbe8e44360f7c0b6f696206f41d |
SHA1: | 166886066ffabb76f6b72c4b4ed91fa19e59987a |
SHA256: | 8e353600579959f0507d00376d2e56e8c9a24648b2574ee72fa81dec5d70874a |
SHA512: | d492b9ea094bd6e695a562a855587feaf793be0cb35cf28df681a0022a8e0139a222a68bd578fb65b125fe9fea86f1f596bf337e65a445e8a5286d95ae037857 |
SSDEEP: | 3072:U+NvJwwbI7mZgauugh+KsvkfGDLNj58E2wL6uEXKIwjwxhfgtRlh:9swbYmZgarrKsvVDR5POuE6Iwqf4 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u....R...R...R.].R...R.c.R...R.]>R...R.\.R...R.`.R...R\c.R...R.`.R...R.`.R...R.Y.R...R...R.}.R%\.R...R...R...R.Y.R...R.y.R... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x43e7ae |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x47299316 [Thu Nov 1 08:49:26 2007 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 4dc9b0b4e019be52f23cc9a3c195910d |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 0044A588h |
push 0043E91Eh |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
sub esp, 68h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-18h], esp |
xor ebx, ebx |
mov dword ptr [ebp-04h], ebx |
push 00000002h |
call dword ptr [00444824h] |
pop ecx |
or dword ptr [00455C18h], FFFFFFFFh |
or dword ptr [00455C1Ch], FFFFFFFFh |
call dword ptr [004447B4h] |
mov ecx, dword ptr [00455BF8h] |
mov dword ptr [eax], ecx |
call dword ptr [00444754h] |
mov ecx, dword ptr [00455BF4h] |
mov dword ptr [eax], ecx |
mov eax, dword ptr [00444758h] |
mov eax, dword ptr [eax] |
mov dword ptr [00455C14h], eax |
call 00007F4964A1E080h |
cmp dword ptr [004550A0h], ebx |
jne 00007F4964A47B0Eh |
push 0043E948h |
call dword ptr [0044475Ch] |
pop ecx |
call 00007F4964A47C05h |
push 00453078h |
push 00453074h |
call 00007F4964A47BF0h |
mov eax, dword ptr [00455BF0h] |
mov dword ptr [ebp-6Ch], eax |
lea eax, dword ptr [ebp-6Ch] |
push eax |
push dword ptr [00455BECh] |
lea eax, dword ptr [ebp-64h] |
push eax |
lea eax, dword ptr [ebp-70h] |
push eax |
lea eax, dword ptr [ebp-60h] |
push eax |
call dword ptr [00444764h] |
push 00453070h |
push 00453000h |
call 00007F4964A47BBDh |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x50b58 | 0x154 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x56000 | 0x14cf8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x44000 | 0xaa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x42469 | 0x43000 | False | 0.261452746035 | COM executable for DOS | 3.69971850757 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x44000 | 0xeb80 | 0xf000 | False | 0.221451822917 | data | 3.38138099515 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x53000 | 0x2c20 | 0x3000 | False | 0.368815104167 | data | 4.63470137622 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x56000 | 0x14cf8 | 0x15000 | False | 0.0564778645833 | data | 0.900735057676 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Imports |
---|
DLL | Import |
---|---|
WININET.dll | FtpPutFileA, InternetConnectA, FtpSetCurrentDirectoryA, FtpCreateDirectoryA, InternetOpenA, InternetGetConnectedState, InternetCloseHandle |
MFC42.DLL | |
MSVCRT.dll | __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ?terminate@@YAXXZ, _except_handler3, _onexit, __dllonexit, ??1type_info@@UAE@XZ, getenv, strrchr, atoi, _ftol, time, difftime, fabs, floor, strcat, srand, __p__fmode, _stricmp, fopen, fwrite, fclose, strchr, memmove, strncpy, setlocale, isspace, _splitpath, _makepath, strcpy, _strlwr, strstr, wcscmp, strcmp, strncmp, malloc, free, sscanf, strlen, sprintf, _purecall, _CxxThrowException, memcpy, memset, __CxxFrameHandler, __set_app_type, rand, _itoa, wcslen, _setmbcp, _controlfp |
KERNEL32.dll | CloseHandle, FlushViewOfFile, ReleaseMutex, WaitForSingleObject, CreateFileMappingA, MapViewOfFile, CreateMutexA, CreateFileA, DeviceIoControl, GetFileSize, MulDiv, lstrlenA, lstrcmpA, lstrcpynA, GlobalReAlloc, GlobalHandle, UnmapViewOfFile, LoadResource, LockResource, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, FindFirstFileA, GetComputerNameA, GetDateFormatA, GetTimeFormatA, GetVersionExA, OpenProcess, GetCurrentThreadId, WideCharToMultiByte, lstrlenW, MultiByteToWideChar, SetCurrentDirectoryA, SetFileTime, GetSystemTime, GetStartupInfoA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeLibrary, lstrcpyA, ReadFile, WriteFile, lstrcmpiA, DeleteFileA, GetTimeZoneInformation, SetLastError, Sleep, GetTickCount, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, FileTimeToSystemTime, SetFilePointer, GetFileInformationByHandle, SystemTimeToFileTime, GetLocalTime, CreateProcessA, lstrcatA, EnumResourceNamesA, CopyFileA, GetTempFileNameA, GetTempPathA, LocalFree, FormatMessageA, GetLastError, SizeofResource, RemoveDirectoryA, MoveFileA, CreateDirectoryA, GetSystemDirectoryA, GetModuleFileNameA, GetModuleHandleA, ExpandEnvironmentStringsA, GetCurrentProcessId, FindClose, FindResourceA, FindNextFileA |
USER32.dll | GetDlgItemInt, GetDlgItemTextA, MessageBoxA, SetForegroundWindow, FindWindowA, GetWindowTextA, SetClipboardViewer, PostQuitMessage, ChangeClipboardChain, SetMenuDefaultItem, EnableMenuItem, wsprintfA, RegisterHotKey, UnregisterHotKey, LoadImageA, FillRect, DrawTextA, PtInRect, CharLowerA, GetWindowThreadProcessId, AttachThreadInput, CloseClipboard, GetClipboardData, OpenClipboard, IsClipboardFormatAvailable, IsWindowUnicode, LoadStringA, CharUpperBuffA, RedrawWindow, SetWindowLongA, InvalidateRect, MessageBeep, GetDlgCtrlID, DdeFreeStringHandle, IsWindowVisible, GetClassNameA, SendMessageTimeoutA, IsWindow, RegisterWindowMessageA, FindWindowExA, DestroyIcon, AppendMenuA, GetMenuItemCount, GetMenuItemInfoA, GetSubMenu, DrawFrameControl, OffsetRect, DrawIconEx, DrawEdge, GetSystemMetrics, SystemParametersInfoA, GetKeyboardLayout, MapVirtualKeyExA, MapVirtualKeyA, GetKeyNameTextA, EnumChildWindows, GetWindowLongA, IsDlgButtonChecked, GetForegroundWindow, PostMessageA, DdeClientTransaction, DdeGetData, GetSysColor, GetCursorPos, WindowFromPoint, GetCapture, GetWindowRect, GetFocus, InflateRect, CopyRect, DrawFocusRect, SetTimer, GetParent, GetWindowTextLengthA, GetNextDlgTabItem, SetFocus, GetDlgItem, CreatePopupMenu, CheckMenuItem, DdeCreateStringHandleA, GetKeyboardLayoutList, DdeConnect, SendMessageA, EnableWindow, GetDesktopWindow, GetDC, ReleaseDC, DdeFreeDataHandle, DdeDisconnect, DdeInitializeA, DdeUninitialize, KillTimer, DefWindowProcA, IsChild, LoadIconA, SetCursor, LoadCursorA, GetKeyboardLayoutNameA, GetClientRect |
GDI32.dll | BitBlt, SelectObject, CreateCompatibleDC, CreatePen, CreateFontIndirectA, Rectangle, GetTextColor, CreateFontA, GetDIBits, CreateCompatibleBitmap, GetTextExtentPoint32A, CreateSolidBrush, SetTextColor, SetBkMode, DeleteDC, CreateDCA, GetStockObject, GetPaletteEntries, GetObjectA, CreateDIBitmap, CreatePalette, RealizePalette, PatBlt, DeleteObject, CreateBitmap |
comdlg32.dll | GetOpenFileNameA |
ADVAPI32.dll | RegOpenKeyA, RegSetValueExA, RegCreateKeyA, RegQueryValueExA, RegQueryValueA, RegDeleteValueA, RegCloseKey, RegDeleteKeyA, GetUserNameA, RegOpenKeyExA |
SHELL32.dll | Shell_NotifyIconA, SHBrowseForFolderA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHFileOperationA, ShellExecuteA, ExtractIconExA |
COMCTL32.dll | ImageList_Remove, ImageList_GetImageCount, ImageList_ReplaceIcon, InitCommonControlsEx |
ole32.dll | CoUninitialize, CoInitialize, CoCreateInstance, CoFreeUnusedLibraries |
OLEAUT32.dll | SysStringLen, VariantInit, VariantClear, SysAllocString, SysFreeString |
urlmon.dll | URLDownloadToFileA |
WSOCK32.dll | send, recv, closesocket, select, connect, WSACleanup, ntohl, WSAStartup, htons, ioctlsocket, gethostbyname, bind, WSASetLastError, socket, gethostname |
MSVCP60.dll | ??0_Lockit@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ |
RPCRT4.dll | UuidCreate, UuidToStringA, RpcStringFreeA |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 23, 2021 17:39:25.233937979 CET | 51281 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:25.285471916 CET | 53 | 51281 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:26.376651049 CET | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:26.428426981 CET | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:28.041127920 CET | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:28.100127935 CET | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:28.905944109 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:28.973481894 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:29.322885990 CET | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:29.392126083 CET | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:30.896219969 CET | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:30.944962025 CET | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:31.976865053 CET | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:32.029597998 CET | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:33.256689072 CET | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:33.305219889 CET | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:34.683229923 CET | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:34.736665964 CET | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:35.631702900 CET | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:35.680376053 CET | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:36.559864044 CET | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:36.617083073 CET | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:37.945734978 CET | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:37.994498968 CET | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:39.115470886 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:39.164233923 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:39.239679098 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:39.288265944 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:40.260013103 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:40.308773994 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:41.080451965 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:41.129209995 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:42.294761896 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:42.354716063 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:43.181158066 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:43.232711077 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:44.147665024 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:44.196490049 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:45.087042093 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:45.135683060 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:39:58.153821945 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:39:58.212501049 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:40:05.136533022 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:40:05.185122967 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:40:18.742022038 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:40:18.799397945 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:40:27.437750101 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:40:27.509244919 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:40:46.809015036 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:40:46.857649088 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:40:52.416899920 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:40:52.480557919 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:41:21.967437983 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:41:22.018543959 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:41:23.779164076 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:41:23.839287043 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:42:21.578418970 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:42:21.638370037 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:42:22.242088079 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:42:22.302165985 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:42:22.883418083 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:42:22.943257093 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:42:23.421056032 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:42:23.480940104 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:42:24.035535097 CET | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:42:24.092859030 CET | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:42:24.596959114 CET | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:42:24.646073103 CET | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:42:25.192250013 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:42:25.252090931 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:42:25.980870962 CET | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:42:26.029532909 CET | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:42:27.071306944 CET | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:42:27.119978905 CET | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Feb 23, 2021 17:42:27.595020056 CET | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Feb 23, 2021 17:42:27.652151108 CET | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 17:39:33 |
Start date: | 23/02/2021 |
Path: | C:\Users\user\Desktop\executable.4420.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 438272 bytes |
MD5 hash: | 6192CFBE8E44360F7C0B6F696206F41D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 17:39:35 |
Start date: | 23/02/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7ff7488e0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|