Analysis Report i6xFULh8J5.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Agenttesla |
---|
{"Exfil Mode": "SMTP", "Username": "no-reply@mytravelws.com", "Password": "hbhf@--8hyhb#E6g", "Host": "mail.mytravelws.com"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 13 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 31 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Compliance: |
---|
Detected unpacking (creates a PE file in dynamic memory) | Show sources |
Source: | Unpacked PE file: |
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00405E61 | |
Source: | Code function: | 0_2_0040548B | |
Source: | Code function: | 0_2_0040263E |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_00405042 |
Source: | Code function: | 0_2_0040323C |
Source: | Code function: | 0_2_00404853 | |
Source: | Code function: | 0_2_00406131 | |
Source: | Code function: | 0_2_6FC71A98 | |
Source: | Code function: | 1_3_05969919 |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_00404356 |
Source: | Code function: | 0_2_00402020 |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation: |
---|
Detected unpacking (changes PE section rights) | Show sources |
Source: | Unpacked PE file: |
Detected unpacking (creates a PE file in dynamic memory) | Show sources |
Source: | Unpacked PE file: |
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_00405E88 |
Source: | Code function: | 0_2_6FC72F8E | |
Source: | Code function: | 1_3_05979E89 | |
Source: | Code function: | 1_3_05979E89 | |
Source: | Code function: | 1_3_0597E221 | |
Source: | Code function: | 1_3_0597C115 | |
Source: | Code function: | 1_3_0597E21E | |
Source: | Code function: | 1_3_0597E251 | |
Source: | Code function: | 1_3_0597E25B | |
Source: | Code function: | 1_3_0597CD65 | |
Source: | Code function: | 1_3_05979E89 | |
Source: | Code function: | 1_3_05979E89 | |
Source: | Code function: | 1_3_05965B4C |
Source: | File created: | Jump to dropped file |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Source: | File opened / queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Code function: | 0_2_00405E61 | |
Source: | Code function: | 0_2_0040548B | |
Source: | Code function: | 0_2_0040263E |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_00405E88 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
---|
Maps a DLL or memory area into another process | Show sources |
Source: | Section loaded: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00405B88 |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) | Show sources |
Source: | Key opened: | Jump to behavior |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection112 | Disable or Modify Tools1 | OS Credential Dumping2 | File and Directory Discovery2 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | System Shutdown/Reboot1 |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Obfuscated Files or Information1 | Credentials in Registry1 | System Information Discovery116 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Software Packing31 | Security Account Manager | Query Registry1 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Masquerading1 | NTDS | Security Software Discovery121 | Distributed Component Object Model | Clipboard Data1 | Scheduled Transfer | Application Layer Protocol11 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Virtualization/Sandbox Evasion141 | LSA Secrets | Process Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Process Injection112 | Cached Domain Credentials | Virtualization/Sandbox Evasion141 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | Application Window Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
13% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Metadefender | Browse | ||
0% | ReversingLabs |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Spy.Gen8 | Download File | ||
100% | Avira | TR/Spy.Gen8 | Download File | ||
100% | Avira | HEUR/AGEN.1137482 | Download File | ||
100% | Avira | HEUR/AGEN.1137482 | Download File | ||
100% | Avira | HEUR/AGEN.1137482 | Download File | ||
100% | Avira | TR/Spy.Gen8 | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
mytravelws.com | 185.145.97.154 | true | true | unknown | |
mail.mytravelws.com | unknown | unknown | true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.145.97.154 | mytravelws.com | Netherlands | 54290 | HOSTWINDSUS | true |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 432660 |
Start date: | 10.06.2021 |
Start time: | 16:30:27 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 26s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | i6xFULh8J5.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 16 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@3/5@4/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
16:31:28 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
185.145.97.154 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
HOSTWINDSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nsm5CFC.tmp\System.dll | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\i6xFULh8J5.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 292864 |
Entropy (8bit): | 7.999431096026405 |
Encrypted: | true |
SSDEEP: | 6144:Fl0wrd3yw6dDxCbwJQ2BYabuiDeD7rSphe5Tx/J81Y454:/rNyzCbwGebpheTx/Ju4 |
MD5: | 50C707C4A6C86D7DEEA6AB366421D287 |
SHA1: | D8C267A75759ACFA4C41440FA114F1537C1C6DEB |
SHA-256: | D318B7EA53EA3BAEA3077BDF6A509F5795F50347BCED88553B49224322115CBF |
SHA-512: | B0E7AD4DB0358D8598E97EC9D3766115520CEA7586B1E1145DDB08D94DE4C39CE541CB5E11BDD45054B222778708A30A98B4044809110D76825F52DE8B20DDB6 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\i6xFULh8J5.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 56353 |
Entropy (8bit): | 4.960718014510871 |
Encrypted: | false |
SSDEEP: | 768:PtBIk3+DDvjQSgCsBn/7sUA+J2/yBjJi+X7eqJpVxdk2q8xlB9mPiM8+xlMg8VS:1y/DCdBDsd+JQelnVxdkB8/B9mPi2yVS |
MD5: | 9C22DFC73C577BE53A2D0216ED1D846F |
SHA1: | B6C3D777BFD8D4EA20AF30D77D413B50B558CB88 |
SHA-256: | CC6D0EC0C062FBB1934B0CDE671CD19F10130B7773F707F3CEBFC48841268DE3 |
SHA-512: | ED4A93461E65AD09228481AA973082F4319453ED77D62273E8535C8DD25FD7C92CA4BB1CF4A5D467E1D1B04593B9CEE3E30079CC682F32D8242E84BDD0C0DF00 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\i6xFULh8J5.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 388931 |
Entropy (8bit): | 7.644285707033539 |
Encrypted: | false |
SSDEEP: | 6144:ph4l0wrd3yw6dDxCbwJQ2BYabuiDeD7rSphe5Tx/J81Y45s/ZQjkIuPut:KrNyzCbwGebpheTx/JusCjkI8m |
MD5: | 779592F0B8F98EBF3E724421735E1876 |
SHA1: | 97C3E60CF03CBF2F57F78A172E09A53DB520F9E5 |
SHA-256: | 9066D1B11F2B6FB122A37F20AA9DFD2FFFC99230A3328844E5BFBB79857FCE9A |
SHA-512: | 3F97F51DCA3A32825DB0806304137B16DDDBED911FBFAFEF70ACDA34D8093AC3C90B6EADA45FF32A190D1B8E0A279915E82AF5BE5EE5AEBCDCB69E12C3D18D53 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\i6xFULh8J5.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.855045165595541 |
Encrypted: | false |
SSDEEP: | 192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4 |
MD5: | FCCFF8CB7A1067E23FD2E2B63971A8E1 |
SHA1: | 30E2A9E137C1223A78A0F7B0BF96A1C361976D91 |
SHA-256: | 6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E |
SHA-512: | F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\i6xFULh8J5.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 20480 |
Entropy (8bit): | 0.7006690334145785 |
Encrypted: | false |
SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ |
MD5: | A7FE10DA330AD03BF22DC9AC76BBB3E4 |
SHA1: | 1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803 |
SHA-256: | 8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8 |
SHA-512: | 1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.080951210547221 |
TrID: |
|
File name: | i6xFULh8J5.exe |
File size: | 540995 |
MD5: | 6c425cf25da766d3d98597a9be4e7300 |
SHA1: | 874344555856dca223730f32ac81b8a743db4cfd |
SHA256: | 0b72882fbad7f826525003747565e03257ad2e9f60b70d53fe11686dfff1705c |
SHA512: | 6a43093a9eb59d68c6fc7347eab380bd9dd35d4b8badc58eb744643e6a7b97425b6b5f21078c46bd9ef988c4ec4b813a14cf2a92f8e2e557c0dda5d82a6a87a9 |
SSDEEP: | 6144:6sS4XfaAuVCZHen8rTxSLMsM30U2ckP0v5AhLxr0sQfjF9fc5+L+k6uzVXvC2f/N:skNfxxvxe0RAz4eo4cVRf/pJdNoSAg |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\......... |
File Icon |
---|
Icon Hash: | 31f8d4f0e8f47080 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40323c |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 099c0646ea7282d232219f8807883be0 |
Entrypoint Preview |
---|
Instruction |
---|
sub esp, 00000180h |
push ebx |
push ebp |
push esi |
xor ebx, ebx |
push edi |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 00409130h |
xor esi, esi |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [00407030h] |
push 00008001h |
call dword ptr [004070B4h] |
push ebx |
call dword ptr [0040727Ch] |
push 00000008h |
mov dword ptr [00423F58h], eax |
call 00007F2FACA0072Eh |
mov dword ptr [00423EA4h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 00000160h |
push eax |
push ebx |
push 0041F458h |
call dword ptr [00407158h] |
push 004091B8h |
push 004236A0h |
call 00007F2FACA003E1h |
call dword ptr [004070B0h] |
mov edi, 00429000h |
push eax |
push edi |
call 00007F2FACA003CFh |
push ebx |
call dword ptr [0040710Ch] |
cmp byte ptr [00429000h], 00000022h |
mov dword ptr [00423EA0h], eax |
mov eax, edi |
jne 00007F2FAC9FDB2Ch |
mov byte ptr [esp+14h], 00000022h |
mov eax, 00429001h |
push dword ptr [esp+14h] |
push eax |
call 00007F2FAC9FFEC2h |
push eax |
call dword ptr [0040721Ch] |
mov dword ptr [esp+1Ch], eax |
jmp 00007F2FAC9FDB85h |
cmp cl, 00000020h |
jne 00007F2FAC9FDB28h |
inc eax |
cmp byte ptr [eax], 00000020h |
je 00007F2FAC9FDB1Ch |
cmp byte ptr [eax], 00000022h |
mov byte ptr [eax+eax+00h], 00000000h |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x73a4 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2c000 | 0x2ea88 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x7000 | 0x28c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x5a5a | 0x5c00 | False | 0.660453464674 | data | 6.41769823686 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x7000 | 0x1190 | 0x1200 | False | 0.4453125 | data | 5.18162709925 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x9000 | 0x1af98 | 0x400 | False | 0.55859375 | data | 4.70902740305 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.ndata | 0x24000 | 0x8000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x2c000 | 0x2ea88 | 0x2ec00 | False | 0.348648479278 | data | 4.44560190393 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x2c310 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0x3cb38 | 0x94a8 | data | English | United States |
RT_ICON | 0x45fe0 | 0x69df | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
RT_ICON | 0x4c9c0 | 0x5488 | data | English | United States |
RT_ICON | 0x51e48 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295 | English | United States |
RT_ICON | 0x56070 | 0x25a8 | data | English | United States |
RT_ICON | 0x58618 | 0x10a8 | data | English | United States |
RT_ICON | 0x596c0 | 0x988 | data | English | United States |
RT_ICON | 0x5a048 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_DIALOG | 0x5a4b0 | 0x100 | data | English | United States |
RT_DIALOG | 0x5a5b0 | 0x11c | data | English | United States |
RT_DIALOG | 0x5a6d0 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x5a730 | 0x84 | data | English | United States |
RT_MANIFEST | 0x5a7b8 | 0x2cc | XML 1.0 document, ASCII text, with very long lines, with no line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA |
USER32.dll | EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow |
GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject |
SHELL32.dll | SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation |
ADVAPI32.dll | RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA |
COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
VERSION.dll | GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 10, 2021 16:33:07.274609089 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:07.326955080 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:07.327167034 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:07.407892942 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:07.408173084 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:07.461004972 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:07.461407900 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:07.515892029 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:07.565799952 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:07.580606937 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:07.648952961 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:07.648987055 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:07.649003029 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:07.649015903 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:07.649085045 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:07.649135113 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:07.660783052 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:07.687160015 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:07.739372015 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:07.784548044 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:08.020052910 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:08.072082996 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:08.077243090 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:08.132307053 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:08.133141994 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:08.224497080 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:08.434758902 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:08.439166069 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:08.491475105 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:08.494575024 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:08.587511063 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:08.656271935 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:08.656836033 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:08.708772898 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:08.710311890 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:08.710545063 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:08.711524963 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:08.711668015 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:08.762227058 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:08.762279034 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:08.763242960 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:08.763271093 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:09.346879959 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:09.394067049 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:10.824043989 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:10.878382921 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:10.878556013 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:10.995899916 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:11.462141037 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:11.513782024 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.515136957 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:11.592566013 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.593064070 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:11.645109892 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.647048950 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:11.701004028 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.701805115 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:11.767189980 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.767231941 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.767256021 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.767273903 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.767350912 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:11.771059036 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.778059006 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:11.831494093 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.834542036 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:11.886405945 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.890369892 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:11.943137884 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:11.947787046 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.013725996 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.014375925 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.066332102 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.067073107 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.158375978 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.195329905 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.195959091 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.249341965 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.251629114 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.251985073 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.252207994 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.252445936 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.252789974 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.252998114 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.253166914 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.253369093 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
Jun 10, 2021 16:33:12.303487062 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.303580046 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.303770065 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.303972006 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.304379940 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.304408073 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.304498911 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.304703951 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.304862976 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.335310936 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 |
Jun 10, 2021 16:33:12.378856897 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 10, 2021 16:31:08.820503950 CEST | 59123 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:08.843307972 CEST | 54531 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:08.879436016 CEST | 53 | 59123 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:08.893702030 CEST | 53 | 54531 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:10.896902084 CEST | 49714 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:10.946814060 CEST | 53 | 49714 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:11.488945007 CEST | 58028 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:11.548984051 CEST | 53 | 58028 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:11.694916010 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:11.754446983 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:12.785131931 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:12.846481085 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:13.758203030 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:13.817022085 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:14.906419039 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:14.959626913 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:15.753509998 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:15.807682037 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:16.760272980 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:16.814701080 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:17.618000984 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:17.668526888 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:18.765999079 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:18.816210985 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:20.161376953 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:20.220058918 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:20.983668089 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:21.034496069 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:21.927871943 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:21.981107950 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:23.025336981 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:23.076498985 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:23.947134972 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:23.997332096 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:25.099188089 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:25.149590969 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:25.884020090 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:25.934185028 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:27.044317007 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:27.094527960 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:27.907584906 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:27.959486008 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:31:42.805233002 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:31:42.878016949 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:03.273896933 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:03.489829063 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:04.081512928 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:04.147088051 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:04.285444021 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:04.357515097 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:04.563460112 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:04.693949938 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:05.695972919 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:05.757884979 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:06.557415962 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:06.622850895 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:07.720948935 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:07.775743961 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:08.705986023 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:08.769689083 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:09.829175949 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:09.892926931 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:11.528718948 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:11.590265036 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:15.036381006 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:15.098016024 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:15.849589109 CEST | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:15.911247015 CEST | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:19.823508978 CEST | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:19.885330915 CEST | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:53.078896046 CEST | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:53.153359890 CEST | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:32:54.225924969 CEST | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:32:54.301631927 CEST | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:33:07.010297060 CEST | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:33:07.077755928 CEST | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:33:07.089621067 CEST | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:33:07.151684999 CEST | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:33:11.307936907 CEST | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:33:11.366795063 CEST | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
Jun 10, 2021 16:33:11.389303923 CEST | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 10, 2021 16:33:11.458507061 CEST | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jun 10, 2021 16:33:07.010297060 CEST | 192.168.2.4 | 8.8.8.8 | 0x32a0 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jun 10, 2021 16:33:07.089621067 CEST | 192.168.2.4 | 8.8.8.8 | 0x3c7a | Standard query (0) | A (IP address) | IN (0x0001) | |
Jun 10, 2021 16:33:11.307936907 CEST | 192.168.2.4 | 8.8.8.8 | 0x10e9 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jun 10, 2021 16:33:11.389303923 CEST | 192.168.2.4 | 8.8.8.8 | 0xca35 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jun 10, 2021 16:33:07.077755928 CEST | 8.8.8.8 | 192.168.2.4 | 0x32a0 | No error (0) | mytravelws.com | CNAME (Canonical name) | IN (0x0001) | ||
Jun 10, 2021 16:33:07.077755928 CEST | 8.8.8.8 | 192.168.2.4 | 0x32a0 | No error (0) | 185.145.97.154 | A (IP address) | IN (0x0001) | ||
Jun 10, 2021 16:33:07.151684999 CEST | 8.8.8.8 | 192.168.2.4 | 0x3c7a | No error (0) | mytravelws.com | CNAME (Canonical name) | IN (0x0001) | ||
Jun 10, 2021 16:33:07.151684999 CEST | 8.8.8.8 | 192.168.2.4 | 0x3c7a | No error (0) | 185.145.97.154 | A (IP address) | IN (0x0001) | ||
Jun 10, 2021 16:33:11.366795063 CEST | 8.8.8.8 | 192.168.2.4 | 0x10e9 | No error (0) | mytravelws.com | CNAME (Canonical name) | IN (0x0001) | ||
Jun 10, 2021 16:33:11.366795063 CEST | 8.8.8.8 | 192.168.2.4 | 0x10e9 | No error (0) | 185.145.97.154 | A (IP address) | IN (0x0001) | ||
Jun 10, 2021 16:33:11.458507061 CEST | 8.8.8.8 | 192.168.2.4 | 0xca35 | No error (0) | mytravelws.com | CNAME (Canonical name) | IN (0x0001) | ||
Jun 10, 2021 16:33:11.458507061 CEST | 8.8.8.8 | 192.168.2.4 | 0xca35 | No error (0) | 185.145.97.154 | A (IP address) | IN (0x0001) |
SMTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Jun 10, 2021 16:33:07.407892942 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 | 220-servertrv.mytravelws.com ESMTP Exim 4.94.2 #2 Thu, 10 Jun 2021 14:33:07 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Jun 10, 2021 16:33:07.408173084 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 | EHLO 301389 |
Jun 10, 2021 16:33:07.461004972 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 | 250-servertrv.mytravelws.com Hello 301389 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-STARTTLS 250 HELP |
Jun 10, 2021 16:33:07.461407900 CEST | 49759 | 587 | 192.168.2.4 | 185.145.97.154 | STARTTLS |
Jun 10, 2021 16:33:07.515892029 CEST | 587 | 49759 | 185.145.97.154 | 192.168.2.4 | 220 TLS go ahead |
Jun 10, 2021 16:33:11.592566013 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 | 220-servertrv.mytravelws.com ESMTP Exim 4.94.2 #2 Thu, 10 Jun 2021 14:33:11 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
Jun 10, 2021 16:33:11.593064070 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 | EHLO 301389 |
Jun 10, 2021 16:33:11.645109892 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 | 250-servertrv.mytravelws.com Hello 301389 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-STARTTLS 250 HELP |
Jun 10, 2021 16:33:11.647048950 CEST | 49760 | 587 | 192.168.2.4 | 185.145.97.154 | STARTTLS |
Jun 10, 2021 16:33:11.701004028 CEST | 587 | 49760 | 185.145.97.154 | 192.168.2.4 | 220 TLS go ahead |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 16:31:16 |
Start date: | 10/06/2021 |
Path: | C:\Users\user\Desktop\i6xFULh8J5.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 540995 bytes |
MD5 hash: | 6C425CF25DA766D3D98597A9BE4E7300 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 16:31:17 |
Start date: | 10/06/2021 |
Path: | C:\Users\user\Desktop\i6xFULh8J5.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 540995 bytes |
MD5 hash: | 6C425CF25DA766D3D98597A9BE4E7300 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 0040323C, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270filestringcomCOMMON
C-Code - Quality: 82% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040548B, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
C-Code - Quality: 94% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6FC71A98, Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMONCrypto
C-Code - Quality: 95% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405E61, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004036AF, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216stringregistrylibraryCOMMON
C-Code - Quality: 96% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402C72, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
C-Code - Quality: 96% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
C-Code - Quality: 75% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402F18, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109fileCOMMON
C-Code - Quality: 93% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403043, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
C-Code - Quality: 94% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
C-Code - Quality: 60% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 85% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 94% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406566, Relevance: 5.2, APIs: 4, Instructions: 236COMMON
C-Code - Quality: 99% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00406767, Relevance: 5.2, APIs: 4, Instructions: 208COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040647D, Relevance: 5.2, APIs: 4, Instructions: 205COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405F82, Relevance: 5.2, APIs: 4, Instructions: 198COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004063D0, Relevance: 5.2, APIs: 4, Instructions: 180COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004064EE, Relevance: 5.2, APIs: 4, Instructions: 170COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040643A, Relevance: 5.2, APIs: 4, Instructions: 168COMMON
C-Code - Quality: 98% |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401B06, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
C-Code - Quality: 59% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
C-Code - Quality: 69% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040583D, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
C-Code - Quality: 68% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040581E, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6FC72A38, Relevance: 1.6, APIs: 1, Instructions: 143COMMON
C-Code - Quality: 44% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004031BF, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6FC72921, Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004031F1, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6FC7101B, Relevance: 1.3, APIs: 1, Instructions: 13memoryCOMMON
C-Code - Quality: 16% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 00405042, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
C-Code - Quality: 95% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404853, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
C-Code - Quality: 97% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404356, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266stringCOMMON
C-Code - Quality: 78% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405B88, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
C-Code - Quality: 74% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402020, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
C-Code - Quality: 74% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0040263E, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
C-Code - Quality: 39% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 83% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404060, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
C-Code - Quality: 93% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 90% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004058B4, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
C-Code - Quality: 93% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00403F7F, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6FC724D8, Relevance: 10.6, APIs: 7, Instructions: 124COMMON
C-Code - Quality: 77% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 93% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004047D3, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402B3B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 86% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00402303, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
C-Code - Quality: 90% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 6FC71837, Relevance: 7.7, APIs: 5, Instructions: 194COMMON
C-Code - Quality: 97% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 84% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004046F1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
C-Code - Quality: 51% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
C-Code - Quality: 51% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004053C6, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00405659, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
C-Code - Quality: 85% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
C-Code - Quality: 67% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00404E54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004024BE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
C-Code - Quality: 100% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004056A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 004057B2, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |