Windows Analysis Report y5ACIMK3tT.exe
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 30 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnifv3 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnifv3 | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | File opened: |
Source: | Binary string: |
Networking: |
---|
Performs DNS queries to domains with low reputation | Show sources |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Data Obfuscation: |
---|
Detected unpacking (changes PE section rights) | Show sources |
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Registry key monitored for changes: |
Source: | Thread sleep time: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Key value queried: |
Source: | WMI Queries: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection2 | Masquerading1 | OS Credential Dumping | Query Registry1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion1 | LSASS Memory | Security Software Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection2 | Security Account Manager | Virtualization/Sandbox Evasion1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | Process Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing12 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | File and Directory Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | System Information Discovery3 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
14% | Virustotal | Browse | ||
7% | ReversingLabs | |||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen7 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
haverit.xyz | unknown | unknown | true | unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 480992 |
Start date: | 10.09.2021 |
Start time: | 07:14:12 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 32s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | y5ACIMK3tT.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 21 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.troj.evad.winEXE@7/29@8/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
07:15:45 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29272 |
Entropy (8bit): | 1.7669382848733182 |
Encrypted: | false |
SSDEEP: | 48:IweGcprvGwpLxG/ap8PGIpcdtJGvnZpvdtTGo3zCqp9dtnGo4TzMzKpmStjGW3ze:rCZZZ12RWut3bf43AKMaIAzfUqb3MB |
MD5: | 7945358580CE004301B14ECCF33C17D2 |
SHA1: | F9F713A23F41C627008836FA4F85BA3F7F8FDA69 |
SHA-256: | CEF37EA620615897A045CEEFFCBA0D5381E42F9C0DF7497CB8B06D8F7E625C19 |
SHA-512: | 280D5388D9252CFD5B88BAE3860E19B4608F377D6384715D590E4801CD936A01E473A7C23E70018647CDD9ADA571798ABA69FDDBFE3409ED92719BDE2CC1E935 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29272 |
Entropy (8bit): | 1.7655222910227881 |
Encrypted: | false |
SSDEEP: | 96:rlZ+ZP2qWNtW27mbfYE27mj27mKMd27mL27mn27mzc27mX27mqLy27mE27mMB:rlZ+ZP2qWNtWpfYElcMdNthclsOyuB |
MD5: | D88CD82AC1F60895D1EB6EC62F06F333 |
SHA1: | DF56E8606A2179574B2B5D80DA05E65DA51A04CB |
SHA-256: | 8DAE15F4846A28D19541A9514629C22DAA0BDA2A6865BC7599BD8E572F42E4CD |
SHA-512: | 6C6F7899D8FC77627E5AA35E4F490DE7328E374181D07820DD006A3B105F57FDDCBCE23B674732A026DD766CFB5BE79FE8DE34C2F9BCFDE48A9C03ECDD12CFDE |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26240 |
Entropy (8bit): | 1.6584600639370661 |
Encrypted: | false |
SSDEEP: | 48:IwDGcpreGwpalG4pQFGrapbSuGQpBVyxGHHpcVBTGUp8VFGzYpmVTNGopOHTyDF8:r5ZWQ361BSmjt2lWVMlksVhA |
MD5: | CD8936B512AAD306702B9FC86A416B85 |
SHA1: | 0A3F2D76086B86BBFD6E90182AEC239EA8BBA810 |
SHA-256: | 9E97C5A637B3EB9021DC6B64CA7657660039D58DD89C3A19B12A2A834C864991 |
SHA-512: | 0AE78E8367CBCA2420D85FCD468C8BA8428EC23BCCA1B50BF8B1D5518966634928E444C0DD247B2EC302B8091056CA7527542AC0BF5B485738DD3D354E78F7EE |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26240 |
Entropy (8bit): | 1.6582689479333252 |
Encrypted: | false |
SSDEEP: | 48:Iw6GcprnGwpazG4pQrGrapbSiGQpBktGHHpcLTGUp8hzGzYpm1Q4GopOPyDcGqXw:r+ZxQF6fBSqjF2lW7Mzk7VFA |
MD5: | B5CA7495FC9582571052CC861577079B |
SHA1: | C468E4E826A65275A8813D6A753923541A33F2E9 |
SHA-256: | CD7558C1567C5551B69316C19AFE67521F86BD98D7980B7023BDE39A3172D63C |
SHA-512: | 69B9F5D0EDCE121D66C5E65C9D700CC1C6AB2246FF309E9391986A543EAD96123FD4E413CBF0CC327D07D0549FB598E963DC39F854A903D6F95093485867AEC0 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 657 |
Entropy (8bit): | 5.112698068858243 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxOE/tnWimI002EtM3MHdNMNxOE/tnWimI00ONVbkEtMb:2d6NxOUtSZHKd6NxOUtSZ7Qb |
MD5: | 56C04B2170D0DEFFB06A9B9F6F37B575 |
SHA1: | CA85A57216773C46A9D92517AB8F81AD03C85373 |
SHA-256: | C8CFD500E2C71690947B8A4C4CF79B313ACC1678111541A9AAAF2F3968C87E99 |
SHA-512: | 3909594FAE2FDB23A1DA8DB925B6CB7FE58C33F72BCD04878CD5816A42E5B430423ABA83D6DE828F118E12EB0A3683ACFA3FEB83B49E4E622B931420D04AF92F |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 654 |
Entropy (8bit): | 5.105781907353887 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxe2ko3rN3EnWimI002EtM3MHdNMNxe2ko3rN3EnWimI00ONkak6EtMb:2d6NxrDr9ESZHKd6NxrDr9ESZ72a7b |
MD5: | D5284D0B09924DC9096DEEA434C09981 |
SHA1: | 4353BD8DFBD0A1BF36017203DD9A71A4DC87EAA0 |
SHA-256: | 693BB50D3FCA8AB0CEFBDD40107BBF4025ABC5024B409865B1208394BEEAACC4 |
SHA-512: | 4E2269FA633C9AAA2ADBE6C29C76A7F0818793362CE6FA313D46FFF53CCE3C089BAD588375B805124F3CCE19DCEDE601DCAA1BAFA34A0B14B6C1343B920FAB70 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 663 |
Entropy (8bit): | 5.131747444699833 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxvL/tnWimI002EtM3MHdNMNxvL/tnWimI00ONmZEtMb:2d6NxvTtSZHKd6NxvTtSZ7Ub |
MD5: | 30FC25A36A0471ECCE7D48FDD6D0E12B |
SHA1: | D4733C92D8009793A25661271027590392427A99 |
SHA-256: | 34A03EE1D7D5C07C1EFFD920C88860F4384FF00C4AE95F95BF7809363E5FD4FA |
SHA-512: | 61C3B6910CC576CC5E137E0ABBEC0676DCC40AE4D8A2720A96B6F0CA64FB73BEC1C9C73DFEC7B61EEC436F20436E40BAC5916524770A868D95B56615642AA912 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 648 |
Entropy (8bit): | 5.107580769884397 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxio3rN3EnWimI002EtM3MHdNMNxio3rtnWimI00ONd5EtMb:2d6NxJr9ESZHKd6NxJrtSZ7njb |
MD5: | 78930A6B474FF3C6FC92CF65473DF93A |
SHA1: | 1A8D5302E7135E943C109F993296164AA252F93B |
SHA-256: | 73C8C3A7ACF4B48F77369F1EB3EE51C913327D428B6A93D5B142B5782A42C1AC |
SHA-512: | B10FAAFE8E2FC9FF7DB456D617682C01E2611E237B894AFD4BA04E43AE79584A012A5C075D42C62121C5A2AAE4C30C5B892B856E38EA89FA8B0053DD59B7A766 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 657 |
Entropy (8bit): | 5.146947312809163 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxhGw/tnWimI002EtM3MHdNMNxhGw/tnWimI00ON8K075EtMb:2d6NxQQtSZHKd6NxQQtSZ7uKajb |
MD5: | 19BAA0AA4F7B42F1CA9D58F85F36A67B |
SHA1: | 9113B73F91E064873E1DA1247118B80D78373BA9 |
SHA-256: | F430FA5EF7272D5879B8CD143C25B32B5439972DBA3D7AE3AD04C66A234E086F |
SHA-512: | CD6CBE7CDF9AD6DB223C18D560D4264FA8DEDC609F68F254E0D90B4905AF9E93676B7427071604F4DF0C51F2D6184242ECEC16503AFC819D76222A8E5BA991E3 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 654 |
Entropy (8bit): | 5.116530535276916 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNx0n/tnWimI002EtM3MHdNMNx0n/tnWimI00ONxEtMb:2d6Nx0/tSZHKd6Nx0/tSZ7Vb |
MD5: | A1AFD5D082D3C856A670C9986D04420A |
SHA1: | C8C810DE09A02D662C07CD1E7A49B66ADDBF59B1 |
SHA-256: | 87D3D0F83FB4DAE3EA812108E1B2F6D61983D66BC58AFF67E720D3C604C15009 |
SHA-512: | 0D50713677B1B2C0807EDF39715E3C9F42A1C323EFCF6DEF4C7AE3DDB6EBC6276D61C1A8EEA4597C9516B93081C02A300E96BEE2E4B7A8B69707EDF071DD652E |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 657 |
Entropy (8bit): | 5.152273020515827 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxx/tnWimI002EtM3MHdNMNxx/tnWimI00ON6Kq5EtMb:2d6NxttSZHKd6NxttSZ7ub |
MD5: | 22B48B7DDFCE42C42EA81FBD0846B662 |
SHA1: | 111B0CAAB4F2F1C67000C0731CC9CC4B2EC1B6BE |
SHA-256: | 70D89213EF2CF2C2075483C7E79D01DC921200B20A8BDE99A5D91FAA782097E3 |
SHA-512: | 9D2DDB1124CA4A70739BD5A930CD0C897EE3CEA48A96731FB703B9B5672238B48CB9964B33900E26D90252A79E3ACCDCF71F460652AA041D9E897D27AA75FECE |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 660 |
Entropy (8bit): | 5.099005968693941 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxco3rN3EnWimI002EtM3MHdNMNxco3rN3EnWimI00ONVEtMb:2d6Nx7r9ESZHKd6Nx7r9ESZ71b |
MD5: | 770028D27C9FDE5B0995D0D63E48142E |
SHA1: | D87004D71F531D5E4CE044E48F6E5028886C8825 |
SHA-256: | 77FB3B0296E9681AE26C13093A761F1DE6F5F5F55D23A8F1A2A60A10FEFF4A04 |
SHA-512: | FB282B9B497FE481DB14455B1D627E21C4B081395AFABFB17C337C85F04C9CF19AC1C1D1456F2811566E90BDA4C6F0647B133F2DB72316DBF4C1338940F84C13 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 654 |
Entropy (8bit): | 5.080308113402304 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxfno3rN3EnWimI002EtM3MHdNMNxfno3rN3EnWimI00ONe5EtMb:2d6NxYr9ESZHKd6NxYr9ESZ7Ejb |
MD5: | 24F51F3EF9833D6BBC19AE0B21CEA66F |
SHA1: | 9457E5D590C1F5EEEDCA4432966C594AD9949FE4 |
SHA-256: | 55A7188A06693632F606D862C04ED6140F787C8AEBFA5539CDEE69620FB38100 |
SHA-512: | 00BF15D1BF9C3C398C6ABF96D8C45572A9C495A968CCE6E74F6CCD011FBED5B9CB4BF50C35E1E578D0D58E07AADBC8C99D29E78A5B9AD44460A5D2A6DEE8EEEF |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2997 |
Entropy (8bit): | 4.4885437940628465 |
Encrypted: | false |
SSDEEP: | 48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra |
MD5: | 2DC61EB461DA1436F5D22BCE51425660 |
SHA1: | E1B79BCAB0F073868079D807FAEC669596DC46C1 |
SHA-256: | ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993 |
SHA-512: | A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4720 |
Entropy (8bit): | 5.164796203267696 |
Encrypted: | false |
SSDEEP: | 96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk |
MD5: | D65EC06F21C379C87040B83CC1ABAC6B |
SHA1: | 208D0A0BB775661758394BE7E4AFB18357E46C8B |
SHA-256: | A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F |
SHA-512: | 8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12105 |
Entropy (8bit): | 5.451485481468043 |
Encrypted: | false |
SSDEEP: | 192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f |
MD5: | 9234071287E637F85D721463C488704C |
SHA1: | CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152 |
SHA-256: | 65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649 |
SHA-512: | 87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 748 |
Entropy (8bit): | 7.249606135668305 |
Encrypted: | false |
SSDEEP: | 12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE |
MD5: | C4F558C4C8B56858F15C09037CD6625A |
SHA1: | EE497CC061D6A7A59BB66DEFEA65F9A8145BA240 |
SHA-256: | 39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781 |
SHA-512: | D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12105 |
Entropy (8bit): | 5.451485481468043 |
Encrypted: | false |
SSDEEP: | 192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f |
MD5: | 9234071287E637F85D721463C488704C |
SHA1: | CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152 |
SHA-256: | 65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649 |
SHA-512: | 87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1612 |
Entropy (8bit): | 4.869554560514657 |
Encrypted: | false |
SSDEEP: | 24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk |
MD5: | DFEABDE84792228093A5A270352395B6 |
SHA1: | E41258C9576721025926326F76063C2305586F76 |
SHA-256: | 77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075 |
SHA-512: | E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1612 |
Entropy (8bit): | 4.869554560514657 |
Encrypted: | false |
SSDEEP: | 24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk |
MD5: | DFEABDE84792228093A5A270352395B6 |
SHA1: | E41258C9576721025926326F76063C2305586F76 |
SHA-256: | 77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075 |
SHA-512: | E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2997 |
Entropy (8bit): | 4.4885437940628465 |
Encrypted: | false |
SSDEEP: | 48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra |
MD5: | 2DC61EB461DA1436F5D22BCE51425660 |
SHA1: | E1B79BCAB0F073868079D807FAEC669596DC46C1 |
SHA-256: | ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993 |
SHA-512: | A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 748 |
Entropy (8bit): | 7.249606135668305 |
Encrypted: | false |
SSDEEP: | 12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE |
MD5: | C4F558C4C8B56858F15C09037CD6625A |
SHA1: | EE497CC061D6A7A59BB66DEFEA65F9A8145BA240 |
SHA-256: | 39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781 |
SHA-512: | D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4720 |
Entropy (8bit): | 5.164796203267696 |
Encrypted: | false |
SSDEEP: | 96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk |
MD5: | D65EC06F21C379C87040B83CC1ABAC6B |
SHA1: | 208D0A0BB775661758394BE7E4AFB18357E46C8B |
SHA-256: | A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F |
SHA-512: | 8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | modified |
Size (bytes): | 89 |
Entropy (8bit): | 4.48547855515619 |
Encrypted: | false |
SSDEEP: | 3:oVXUpPvTEH8JOGXnEpPvuSun:o9UpoHqEpOSu |
MD5: | D83E06FE427751E9BDB33BB4973DDAE4 |
SHA1: | D3B5FD3B9CC417D6C9104133BD4D208B271E3539 |
SHA-256: | 2560DB494FC84A2E3B784C92C6D21A6E2326B6C022EC01751E3EC1B2D3977051 |
SHA-512: | 665DED2E622C649F7B540499A542AE24835CD4E32077E584E118279013D35B6E88AB0591AC7BE38EFBF3C63C570245203AF3B7431F2AB965DC62DF05D91361E2 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 38737 |
Entropy (8bit): | 0.37178213318940906 |
Encrypted: | false |
SSDEEP: | 48:kBqoxKAuvScS+VqVyRVWVfVTIVTwHTyDZHTyDbHTyDU:kBqoxKAuvScS+ouk1emqwt |
MD5: | 4CFC78871AA73B44EF10B660F7B9A647 |
SHA1: | 110C151CC0DF69ABDE3C5FB7B92366EF33C72F73 |
SHA-256: | EE8635C8F7336AB4769C1F836FE2099EF0EFBAC3B9086AFF3F8B2C1F4796F865 |
SHA-512: | BFE2CB219AF232EBD8108A1C0AB1844D7EFCCD6CB6806F29B8806406162104FE816C00FBA58F5CAFB6BDFA6A780B205512E6F94734AFD740C7F8CEBD2E7FCC3D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12933 |
Entropy (8bit): | 0.4083961078857369 |
Encrypted: | false |
SSDEEP: | 12:c9lCg5/9lCgeK9l26an9l26an9l8fR3C9l8fR3y9lTq3nnh:c9lLh9lLh9lIn9lIn9loS9loC9lW3h |
MD5: | 724E1A38416982867DB7435AF11BE17C |
SHA1: | F664B8739825A1AFBEC4F311F03B01742EC36EEA |
SHA-256: | 2BA5B6F622CD7C3D745C61D4CF754E18784D818EDE82EFA121A85501500B52A1 |
SHA-512: | 5A13C7A97A8A4E1567D7B4503BD36482D23FA3947E3B907908516C5D1F2C3DC7D72C26F2650CF09FE2891D9ED5EE0E83FE254E5C03E55ABDB1D2798153F16A9B |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 38737 |
Entropy (8bit): | 0.372600979825686 |
Encrypted: | false |
SSDEEP: | 48:kBqoxKAuvScS+EkRIZ1I1wPyDZPyDbPyDU:kBqoxKAuvScS+EiIZCaG8Z |
MD5: | 334468D3CF49CDFE2CCAC8920F29206F |
SHA1: | 9E61FA62581B40C30BD11BF92BECA809689157ED |
SHA-256: | EA945154C25F0CE7ABEC89280E9419AFE8F82C2E3C3FDC6D7FF27DF0152ECBD4 |
SHA-512: | F8C7833DDF8F0204CAAD36CA56A29F7BB32D965076C6263F7C75C27ACA1999CE7AD0E1611BB510388C8A50978ADAA81A8BA445166AD7E847119CE9C7DA316741 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12933 |
Entropy (8bit): | 0.40716309839094866 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9loIT9loIT9lWINvinev6WnE:kBqoIv59SE |
MD5: | 5217D7AB6A9D794AAC70438D98666715 |
SHA1: | DB061C2C7A891FC61AEFC4D9586D6259E91ABF99 |
SHA-256: | 66EBFEDA3EF90C4EEE430B0738C08546A62BE6EAE13B1C77918B900BAF9878D3 |
SHA-512: | CF2C8FB599D15499CE609B1187CDF10E133FFCA0EC96FE183BA60D514691732A740807FE5F0FF084E4163BEA1916CAA0EA294B975FFFFC1004E91DD7B73590EA |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.614360119917732 |
TrID: |
|
File name: | y5ACIMK3tT.exe |
File size: | 901960 |
MD5: | 72fb1d021cfaa3ef3ea5ddd2aa6edc86 |
SHA1: | 7de81647d41ef9c982920e119ebaf27b5affcf26 |
SHA256: | b7a9576a80944c203ddb7a1fbfbfa2a5806c2419ad193f22b84d0fa4f078a725 |
SHA512: | f487c205746f3b9de76de7029fb9fab108c384e55c8d1918120a76feccd1284ab566eedacd5c7b279a8a9ba16c8c357e56dd6c0497866cb3a41d098d9618cd4e |
SSDEEP: | 24576:y9PsA9vHAYobFGQdRHylSk61LXXhNxvZXmtk1/GqgLGu:3YqJk61bRLZXmWGGu |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s/>..Am..Am..Am...m..Am...m..Am...m..Am..@mb.Am.e.m..Am...m..Amn..m..Am...m..Am...m..Am...m..AmRich..Am....................... |
File Icon |
---|
Icon Hash: | f0b0e8e4e4e8b2dc |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x1005725 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x1000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, NX_COMPAT |
Time Stamp: | 0x55E85856 [Thu Sep 3 14:25:26 2015 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | e256626a548828ef6c76be7957372a60 |
Authenticode Signature |
---|
Signature Valid: | false |
Signature Issuer: | CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB |
Signature Validation Error: | No signature was present in the subject |
Error Number: | -2146762496 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 8AB6A86211EE700AA961C3292ADB312D |
Thumbprint SHA-1: | A533DFA7E6AED2A9FFBE41FCEC5A8927A6EAFBBB |
Thumbprint SHA-256: | 9E0611728595A506CC2A55486FDD88ECA0971EF0B08F74CB3B3B6F5F6F3C7E27 |
Serial: | 239664C12BAEB5A6D787912888051392 |
Entrypoint Preview |
---|
Instruction |
---|
call 00007F38FCDBF020h |
jmp 00007F38FCDB7F35h |
push 00000014h |
push 0108A9F8h |
call 00007F38FCDBCF0Ah |
call 00007F38FCDB870Bh |
movzx esi, ax |
push 00000002h |
call 00007F38FCDBEFB3h |
pop ecx |
mov eax, 00005A4Dh |
cmp word ptr [01000000h], ax |
je 00007F38FCDB7F36h |
xor ebx, ebx |
jmp 00007F38FCDB7F65h |
mov eax, dword ptr [0100003Ch] |
cmp dword ptr [eax+01000000h], 00004550h |
jne 00007F38FCDB7F1Dh |
mov ecx, 0000010Bh |
cmp word ptr [eax+01000018h], cx |
jne 00007F38FCDB7F0Fh |
xor ebx, ebx |
cmp dword ptr [eax+01000074h], 0Eh |
jbe 00007F38FCDB7F3Bh |
cmp dword ptr [eax+010000E8h], ebx |
setne bl |
mov dword ptr [ebp-1Ch], ebx |
call 00007F38FCDBCE5Dh |
test eax, eax |
jne 00007F38FCDB7F3Ah |
push 0000001Ch |
call 00007F38FCDB8057h |
pop ecx |
call 00007F38FCDBE31Bh |
test eax, eax |
jne 00007F38FCDB7F3Ah |
push 00000010h |
call 00007F38FCDB8046h |
pop ecx |
call 00007F38FCDBF02Ch |
and dword ptr [ebp-04h], 00000000h |
call 00007F38FCDBE917h |
test eax, eax |
jns 00007F38FCDB7F3Ah |
push 0000001Bh |
call 00007F38FCDB802Ch |
pop ecx |
call dword ptr [0106A19Ch] |
mov dword ptr [010AC3A8h], eax |
call 00007F38FCDBF047h |
mov dword ptr [01097A94h], eax |
call 00007F38FCDBEC04h |
test eax, eax |
jns 00007F38FCDB7F3Ah |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8ccf8 | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xad000 | 0x41028 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0xda000 | 0x2348 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xef000 | 0x4d50 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6a3b0 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x87940 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6a000 | 0x328 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x681b9 | 0x68200 | False | 0.62395192452 | data | 6.85141956597 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x6a000 | 0x23f8a | 0x24000 | False | 0.641872829861 | data | 6.36645327435 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x8e000 | 0x1e3ac | 0x7a00 | False | 0.527792008197 | data | 6.51367686644 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0xad000 | 0x41028 | 0x41200 | False | 0.240744211852 | data | 5.36312234805 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xef000 | 0x4d50 | 0x4e00 | False | 0.730168269231 | data | 6.65913941378 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xad434 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0xbdc5c | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16580607, next used block 4294917888 | English | United States |
RT_ICON | 0xc1e84 | 0x25a8 | data | English | United States |
RT_ICON | 0xc442c | 0x10a8 | data | English | United States |
RT_ICON | 0xc54d4 | 0x988 | data | English | United States |
RT_ICON | 0xc5e5c | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0xc62c4 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0xd6aec | 0x94a8 | data | English | United States |
RT_ICON | 0xdff94 | 0x5488 | data | English | United States |
RT_ICON | 0xe541c | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 520093696 | English | United States |
RT_ICON | 0xe9644 | 0x25a8 | data | English | United States |
RT_ICON | 0xebbec | 0x10a8 | data | English | United States |
RT_ICON | 0xecc94 | 0x988 | data | English | United States |
RT_ICON | 0xed61c | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_STRING | 0xeda84 | 0xbc | data | English | United States |
RT_STRING | 0xedb40 | 0x150 | data | English | United States |
RT_GROUP_ICON | 0xedc90 | 0x76 | data | English | United States |
RT_GROUP_ICON | 0xedd08 | 0x5a | data | English | United States |
RT_VERSION | 0xedd64 | 0x2c4 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetLastError, VirtualProtectEx, LoadLibraryA, OpenMutexA, SetConsoleOutputCP, DeviceIoControl, GetModuleFileNameA, CloseHandle, DeleteFileA, WriteConsoleW, SetStdHandle, GetStringTypeW, LoadLibraryW, WaitForMultipleObjectsEx, GetStartupInfoA, GetConsoleMode, GetConsoleCP, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, HeapReAlloc, CreateProcessA, Sleep, GetTickCount, SetFilePointerEx, GetCurrentProcess, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, ReleaseSemaphore, SetProcessAffinityMask, VirtualProtect, VirtualFree, VirtualAlloc, GetVersionExW, GetModuleHandleA, FreeLibraryAndExitThread, FreeLibrary, GetThreadTimes, OutputDebugStringW, FatalAppExitA, SetConsoleCtrlHandler, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetFileType, HeapSize, GetProcessHeap, GetModuleFileNameW, WriteFile, GetStdHandle, WideCharToMultiByte, MultiByteToWideChar, AreFileApisANSI, GetModuleHandleExW, ExitProcess, IsDebuggerPresent, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SetThreadPriority, SwitchToThread, SignalObjectAndWait, WaitForSingleObjectEx, SetEvent, DuplicateHandle, WaitForSingleObject, GetCurrentThread, GetCurrentThreadId, GetExitCodeThread, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapAlloc, EncodePointer, DecodePointer, GetCommandLineA, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, CreateSemaphoreW, CreateThread, ExitThread, LoadLibraryExW, RaiseException, RtlUnwind, HeapFree, TryEnterCriticalSection, CreateTimerQueue, RtlCaptureStackBackTrace, CreateFileW |
USER32.dll | SetWindowTextA, CallNextHookEx, LoadBitmapA, GetClassInfoExA, EnumWindows, GetIconInfo, IsDialogMessageA, GetWindowLongA, CreateWindowExA, ReleaseDC, DefWindowProcA, CheckDlgButton, SendMessageA |
ole32.dll | CoUninitialize, OleSetContainedObject, OleInitialize, CoSuspendClassObjects, OleUninitialize, StgCreateDocfile, CoInitialize |
COMCTL32.dll | ImageList_LoadImageA, PropertySheetA, CreatePropertySheetPageA |
WINSPOOL.DRV | AddJobA, DeletePortA, SetPortA, SetPrinterDataA, DeletePrintProcessorA, AbortPrinter, GetPrinterDriverDirectoryA, ResetPrinterA, StartPagePrinter, ReadPrinter, FlushPrinter, DeletePrinterConnectionA, StartDocPrinterA, DeletePrinterKeyA, DeletePrintProvidorA, DeletePrinterDriverExA, GetPrintProcessorDirectoryA, FindClosePrinterChangeNotification, DeletePrinterDriverA, AddPrintProvidorA, OpenPrinterA, GetJobA, ClosePrinter, AddPrintProcessorA, AddPrinterA, PrinterMessageBoxA, SetFormA, GetFormA, DeletePrinter, AddPortA, SetJobA, AddPrinterDriverA, SetPrinterDataExA, DeletePrinterDataExA, DeletePrinterDataA, GetPrinterDataA, AddFormA, AddPrinterDriverExA, AddPrinterConnectionA, AddMonitorA, DeleteFormA, DeleteMonitorA, GetPrinterA, ConfigurePortA, ScheduleJob, GetPrinterDriverA, GetPrinterDataExA |
sfc.dll | SfcIsFileProtected |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | (C) 2011 Helpwould Use Corporation. All rights reserved. |
FileVersion | 14.1.55.63 |
CompanyName | Helpwould Use Corporation |
ProductName | Deathice |
ProductVersion | 14.1.55.63 |
FileDescription | Deathice The Certain |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 10, 2021 07:15:23.031836033 CEST | 51165 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:15:23.067981005 CEST | 53 | 51165 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:15:24.261713982 CEST | 53183 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:15:24.286346912 CEST | 53 | 53183 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:15:24.403858900 CEST | 57587 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:15:24.438414097 CEST | 53 | 57587 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:15:24.588327885 CEST | 55432 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:15:24.613374949 CEST | 53 | 55432 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:15:24.691654921 CEST | 64936 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:15:24.724833012 CEST | 53 | 64936 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:15:33.078450918 CEST | 52704 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:15:33.121984959 CEST | 53 | 52704 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:15:34.716731071 CEST | 52212 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:15:34.752845049 CEST | 53 | 52212 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:15:34.768047094 CEST | 54302 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:15:34.803451061 CEST | 53 | 54302 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:15:34.820358038 CEST | 53784 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:15:34.854804039 CEST | 53 | 53784 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:15:46.217190027 CEST | 65307 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:15:46.254637003 CEST | 53 | 65307 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:15:56.312530041 CEST | 64344 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:15:56.348328114 CEST | 53 | 64344 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:03.049340963 CEST | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:03.081857920 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:04.060501099 CEST | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:04.095017910 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:05.064035892 CEST | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:05.096472025 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:07.107239008 CEST | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:07.141813040 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:11.172729015 CEST | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:11.198000908 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:24.833563089 CEST | 61805 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:24.870574951 CEST | 53 | 61805 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:28.709317923 CEST | 54795 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:28.745152950 CEST | 53 | 54795 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:31.068264961 CEST | 49557 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:31.114586115 CEST | 53 | 49557 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:37.002940893 CEST | 61733 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:37.036864996 CEST | 53 | 61733 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:38.532948971 CEST | 65447 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:38.560961962 CEST | 53 | 65447 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:38.567085028 CEST | 52441 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:38.603250980 CEST | 53 | 52441 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:16:38.613707066 CEST | 62176 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:16:38.646589994 CEST | 53 | 62176 | 8.8.8.8 | 192.168.2.5 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 10, 2021 07:15:34.716731071 CEST | 192.168.2.5 | 8.8.8.8 | 0x1bcc | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:15:34.768047094 CEST | 192.168.2.5 | 8.8.8.8 | 0xaf32 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:15:34.820358038 CEST | 192.168.2.5 | 8.8.8.8 | 0xe91b | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:15:46.217190027 CEST | 192.168.2.5 | 8.8.8.8 | 0xb663 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:15:56.312530041 CEST | 192.168.2.5 | 8.8.8.8 | 0x9483 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:16:38.532948971 CEST | 192.168.2.5 | 8.8.8.8 | 0x528f | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:16:38.567085028 CEST | 192.168.2.5 | 8.8.8.8 | 0xf2 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:16:38.613707066 CEST | 192.168.2.5 | 8.8.8.8 | 0x9562 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 10, 2021 07:15:34.752845049 CEST | 8.8.8.8 | 192.168.2.5 | 0x1bcc | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:15:34.803451061 CEST | 8.8.8.8 | 192.168.2.5 | 0xaf32 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:15:34.854804039 CEST | 8.8.8.8 | 192.168.2.5 | 0xe91b | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:15:46.254637003 CEST | 8.8.8.8 | 192.168.2.5 | 0xb663 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:15:56.348328114 CEST | 8.8.8.8 | 192.168.2.5 | 0x9483 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:16:38.560961962 CEST | 8.8.8.8 | 192.168.2.5 | 0x528f | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:16:38.603250980 CEST | 8.8.8.8 | 192.168.2.5 | 0xf2 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:16:38.646589994 CEST | 8.8.8.8 | 192.168.2.5 | 0x9562 | Name error (3) | none | none | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 07:15:04 |
Start date: | 10/09/2021 |
Path: | C:\Users\user\Desktop\y5ACIMK3tT.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1000000 |
File size: | 901960 bytes |
MD5 hash: | 72FB1D021CFAA3EF3EA5DDD2AA6EDC86 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 07:15:32 |
Start date: | 10/09/2021 |
Path: | C:\Program Files\internet explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7cbd60000 |
File size: | 823560 bytes |
MD5 hash: | 6465CB92B25A7BC1DF8E01D8AC5E7596 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 07:15:32 |
Start date: | 10/09/2021 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd50000 |
File size: | 822536 bytes |
MD5 hash: | 071277CC2E3DF41EEEA8013E2AB58D5A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 07:16:36 |
Start date: | 10/09/2021 |
Path: | C:\Program Files\internet explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7cbd60000 |
File size: | 823560 bytes |
MD5 hash: | 6465CB92B25A7BC1DF8E01D8AC5E7596 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 07:16:36 |
Start date: | 10/09/2021 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd50000 |
File size: | 822536 bytes |
MD5 hash: | 071277CC2E3DF41EEEA8013E2AB58D5A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|