Windows Analysis Report nheQqfaVcS
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 29 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnifv3 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnifv3 | Yara detected Ursnif | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: |
Networking: |
---|
Performs DNS queries to domains with low reputation | Show sources |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Writes or reads registry keys via WMI | Show sources |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Writes registry values via WMI | Show sources |
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Mutant created: |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Data Obfuscation: |
---|
Detected unpacking (changes PE section rights) | Show sources |
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Static PE information: |
Hooking and other Techniques for Hiding and Protection: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Key value queried: | Jump to behavior |
Source: | WMI Queries: |
Stealing of Sensitive Information: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: |
Yara detected Ursnif | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Path Interception | Process Injection2 | Masquerading1 | OS Credential Dumping | Query Registry1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion1 | LSASS Memory | Security Software Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection2 | Security Account Manager | Virtualization/Sandbox Evasion1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | Process Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing12 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | File and Directory Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | System Information Discovery3 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
19% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen7 | Download File | ||
100% | Avira | TR/Patched.Ren.Gen | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
haverit.xyz | unknown | unknown | true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
true |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
true |
| unknown | ||
false |
| low | ||
false | high | |||
false |
| unknown | ||
false | high | |||
true |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
true |
| unknown | ||
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 480998 |
Start date: | 10.09.2021 |
Start time: | 07:26:28 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 44s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | nheQqfaVcS (renamed file extension from none to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 29 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal96.troj.evad.winEXE@7/29@8/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
07:28:20 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29272 |
Entropy (8bit): | 1.771427654928644 |
Encrypted: | false |
SSDEEP: | 96:rBZWZL2OBWO9tOFbfOsw3KMONfhziTqOnwMB:rBZWZL2OBWO9tOZfOshMOr9ODB |
MD5: | E8166AD9C4D6191DD8C51030C263321E |
SHA1: | 61AD14E0A1D4BF14E711A26E241F5F060A40E8C3 |
SHA-256: | 72336C9DED2DC7C99135FC983ABF3780D99B828FAA1FF57CB8065F91DA33A82A |
SHA-512: | 78642E04288D2E3AEA575EAE6439B8E456BC530724B50FA278753E2FF0039B0723BD65C9775C2C7E78D53A93F37A4E0211CB49609F499A920162396C5EC851BF |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29272 |
Entropy (8bit): | 1.7678202020698055 |
Encrypted: | false |
SSDEEP: | 96:rAZ3Zj2xAWxutxebfxU2dKMxX1szbpqxe2MB:rAZ3Zj2xAWxutxOfxUlMx+0xcB |
MD5: | 7148254D4FADD6EDD26BC42BB795B2BB |
SHA1: | 5F8D1A30EF81D47F76BD2D9DF20D45A2C111D41C |
SHA-256: | C5427B07D6C5EED675B24B4D78E6396059F3F3B7789E85C403D8171090E1EA89 |
SHA-512: | A784604EEF93D41E5C96ECC8EB05AEE70F27D8F03DB111EFE87CE501A9D96DB598A2BF59102BF6C8CABE7A8E8E0C7AD9F3CA1B7F5A8B05161D0008A60E75B572 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26240 |
Entropy (8bit): | 1.6577965569535396 |
Encrypted: | false |
SSDEEP: | 48:IwTGcprhGwpa9G4pQ1GrapbSpGQpBKGHHpcSTGUp8bGzYpm/jGopORyDGGqXpHRA:rpZ7Q/6lBSjjR2CWhM9kDVpA |
MD5: | C892D13DD1CD1998B7477CFE1FCDC3C9 |
SHA1: | 32C026788A88FCAC8F0B5A9C35ED93D84B599259 |
SHA-256: | 60799FB8BC177347E5FDD2EA561AE534E71E9BE501346CB9F96C595CB03CC2B5 |
SHA-512: | 3C4F587D9FA8BCBFE6DE40D5E8CCAA4C87ECB687FD4E595E5BB195087EDC8CB1D19F1A21A8FA265234DD6D3859C113666DD21D1521DB19DB84B688ADAD76F3A7 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26240 |
Entropy (8bit): | 1.6594241652982409 |
Encrypted: | false |
SSDEEP: | 48:Iw5GcprsGwpaAG4pQIGrapbS3GQpBSGHHpcDTGUp8MxGzYpm8kyGopOayDHGqXpo:rfZEQg6WBSBjp2dWYMAkRVfA |
MD5: | 291690DBD83163CCA5FD3E0D02BB1F36 |
SHA1: | B95DF0F5F82CE3679FBD865D376FECE6100F0A10 |
SHA-256: | D208D5CDCC082B127052B55A8AF6DFA11A0CCD45D1C6E854099AC772108756ED |
SHA-512: | 3AD8EB543A7267A882D838D6896A7EA9D6A27D0E454A5260C3ECEBF6F3A8E5B807ED5553B7A36F95004B87F996284E2F6EDB791F349D2D3A49F37ECE1B83E1C0 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 657 |
Entropy (8bit): | 5.113905124514613 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxOEMaraMnWimI002EtM3MHdNMNxOEMaraMnWimI00ONVbkEtMb:2d6NxOA2MSZHKd6NxOA2MSZ7Qb |
MD5: | 7012472634EB96820B6EEC294FFA2AB2 |
SHA1: | 46B70A08F8F0B7C210D7E2016C79505166019066 |
SHA-256: | C5EC7B30B03613C6450AA1953B7F13B82163B3CDEF0ADD1D83D771346BCA0F24 |
SHA-512: | B55B9BCE216DE90290FDA211C0F561C7BA5EE5403E93C473003DCCA84728BA82F8C3956D67894CB1C71805E1CD79DC314929C1CF0E68019A20E955941BED761E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 654 |
Entropy (8bit): | 5.126785934700775 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxe2kMugougHnWimI002EtM3MHdNMNxe2kMugougHnWimI00ONkak6EtMb:2d6NxrgSZHKd6NxrgSZ72a7b |
MD5: | 036A6E3282047CFBD313BC951C0FDCC6 |
SHA1: | FACC78394DC05D4584A2C59D45409D28C0EC2528 |
SHA-256: | C87DB800F390409FF72B1C096495CAFF04E708187F7646559CE7BF2D882C5DAD |
SHA-512: | 1C1F7F565131612E1B0DB5B6ABF19676756BAAAA1C34E2F483AAF0607185D39735B6B44814C4B4D2D5F7D3E2656E66CC3898651A812D6277AC72E6DC44B4D028 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 663 |
Entropy (8bit): | 5.132943576775603 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxvLMaraMnWimI002EtM3MHdNMNxvLMaraMnWimI00ONmZEtMb:2d6Nxv12MSZHKd6Nxv12MSZ7Ub |
MD5: | 0810F0747527C354F4C7B878EC6C037D |
SHA1: | 0CE70619C66F00ED1A5FD6B7421358B9CABC4E13 |
SHA-256: | F97424B8D542DAA2736F2142CBC911B99AE4D09A3B382D336831F9110CAC8D80 |
SHA-512: | 58102F88EACDF34CBF1F04A782BC60DA0DDEEE3AE7FE73F668435FD5D2B314BF21EB0E9BBDE3AFADC1B75FBB58692CBB585BD3E58061655A10E35178FED7C9EF |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 648 |
Entropy (8bit): | 5.123568335705859 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxiMrMnWimI002EtM3MHdNMNxiMrMnWimI00ONd5EtMb:2d6Nx8SZHKd6Nx8SZ7njb |
MD5: | 5DA483F61304960D0F776FB1C0AC546E |
SHA1: | F6FB15F9FE4A2B2CECAE1219CDCC214002C36E03 |
SHA-256: | 1770B45C0925C77FCB065FB7D79A3D7DCC249F395EFFB214E6EE1583DE63B7B8 |
SHA-512: | BB0D0B8F4F43AE2878DDA27B7D4653794645B10B9437C11061C77F759B2D085AEF1075627BB8E250128E3CEAFB2870929C478B17750CF13220FC4A890D971F36 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 657 |
Entropy (8bit): | 5.1481543684655335 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxhGwMaraMnWimI002EtM3MHdNMNxhGwMaraMnWimI00ON8K075EtMb:2d6NxQc2MSZHKd6NxQc2MSZ7uKajb |
MD5: | 5E414D55D9C5C113853E0245A19215C1 |
SHA1: | C4EF265F1D3977769CBC094CCE02FD5DEDE6545D |
SHA-256: | 7B41E8602389BE61D50ADAC69C387146B3C29F2D34BEA8999D0CC5F40F35E88D |
SHA-512: | 3364A941E12C6D76EE67BBB4223ED009129D6A89794F2D39C9F3CB79A2E9FD049989A781F04307955ED51D3D128253A87012E40DC77EB848E7C3183C4D4E0E42 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 654 |
Entropy (8bit): | 5.112015487709611 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNx0nMrMnWimI002EtM3MHdNMNx0nMrMnWimI00ONxEtMb:2d6Nx0bSZHKd6Nx0bSZ7Vb |
MD5: | 5DB865CF1E6A450A7E3E42EB09234DC4 |
SHA1: | 0D6EA71BF5715A483214C89E8E1FD8514ACFAD46 |
SHA-256: | C2DCB2A500F9235E55C2750262BC304FC7454304A466F44DE6BC219C88DA38B4 |
SHA-512: | 92E6885A9DF1131578F120C997E3C583D4AF54DE78614C4E92E930F0158565E7E6617196319B272B99B518484495C5BEC38FF86ADDB7750FFB0D4913BB5F8E0F |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 657 |
Entropy (8bit): | 5.147778589604081 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxxMrMnWimI002EtM3MHdNMNxxMrMnWimI00ON6Kq5EtMb:2d6NxtSZHKd6NxtSZ7ub |
MD5: | B1BB196FF5EDF1BC272963AB21FCABB5 |
SHA1: | 6B5D418C755223D69CF07CF4362C6F7DD01187E3 |
SHA-256: | BC5CCB9E63BC889CE68A41461AAF3AD5A90FC3DE632F3405C3FCCC9DE605DB75 |
SHA-512: | DF824DE32328A196D51A4CE489F19D175930751EA153C71C8C23740EFF46F4032ABEBD209AB66E030628FE287F0DBCB464722101E6B41EF48007698B9B82CA8B |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 660 |
Entropy (8bit): | 5.124275386432658 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxcMrMnWimI002EtM3MHdNMNxcMrMnWimI00ONVEtMb:2d6Nx+SZHKd6Nx+SZ71b |
MD5: | 6E42AC1028D8AB88EFB8CAA36B282D89 |
SHA1: | 688B731F70840DFD8EC1464B1F7829DDD3675D49 |
SHA-256: | 6541E1956991734ED55917912A40D64DDFAD6607440705CBA4E8DDD95780B7CF |
SHA-512: | AFD585A1BDD6224744BF41D43B0918B847A02905623D6AE95DABAA0185527B9254F7974BE6F706D17A8001B291E4E59909CADB913957E5B7195DCC33BD8041EA |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 654 |
Entropy (8bit): | 5.1087139086941935 |
Encrypted: | false |
SSDEEP: | 12:TMHdNMNxfnMrMnWimI002EtM3MHdNMNxfnMrMnWimI00ONe5EtMb:2d6NxDSZHKd6NxDSZ7Ejb |
MD5: | B130923143DF009BD3DBE0EB65452958 |
SHA1: | 4794E0BA69ABBFC18985B69796F925B384939EFA |
SHA-256: | 5F6E2870EEE5B52FA68DE47B4C15F5B30F060F064313ED9854748BD44FAAC1AD |
SHA-512: | 5713FCE4DC67B3F526CC8850E55F1BF00161BB96C20EEC63254B2043C19839FEB3DFE818AAEA9D80D91AA9DF7552DF35F712936137CAFF5B0F2B78C929250D18 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2997 |
Entropy (8bit): | 4.4885437940628465 |
Encrypted: | false |
SSDEEP: | 48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra |
MD5: | 2DC61EB461DA1436F5D22BCE51425660 |
SHA1: | E1B79BCAB0F073868079D807FAEC669596DC46C1 |
SHA-256: | ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993 |
SHA-512: | A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4720 |
Entropy (8bit): | 5.164796203267696 |
Encrypted: | false |
SSDEEP: | 96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk |
MD5: | D65EC06F21C379C87040B83CC1ABAC6B |
SHA1: | 208D0A0BB775661758394BE7E4AFB18357E46C8B |
SHA-256: | A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F |
SHA-512: | 8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12105 |
Entropy (8bit): | 5.451485481468043 |
Encrypted: | false |
SSDEEP: | 192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f |
MD5: | 9234071287E637F85D721463C488704C |
SHA1: | CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152 |
SHA-256: | 65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649 |
SHA-512: | 87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 748 |
Entropy (8bit): | 7.249606135668305 |
Encrypted: | false |
SSDEEP: | 12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE |
MD5: | C4F558C4C8B56858F15C09037CD6625A |
SHA1: | EE497CC061D6A7A59BB66DEFEA65F9A8145BA240 |
SHA-256: | 39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781 |
SHA-512: | D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12105 |
Entropy (8bit): | 5.451485481468043 |
Encrypted: | false |
SSDEEP: | 192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f |
MD5: | 9234071287E637F85D721463C488704C |
SHA1: | CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152 |
SHA-256: | 65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649 |
SHA-512: | 87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1612 |
Entropy (8bit): | 4.869554560514657 |
Encrypted: | false |
SSDEEP: | 24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk |
MD5: | DFEABDE84792228093A5A270352395B6 |
SHA1: | E41258C9576721025926326F76063C2305586F76 |
SHA-256: | 77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075 |
SHA-512: | E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1612 |
Entropy (8bit): | 4.869554560514657 |
Encrypted: | false |
SSDEEP: | 24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk |
MD5: | DFEABDE84792228093A5A270352395B6 |
SHA1: | E41258C9576721025926326F76063C2305586F76 |
SHA-256: | 77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075 |
SHA-512: | E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2997 |
Entropy (8bit): | 4.4885437940628465 |
Encrypted: | false |
SSDEEP: | 48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra |
MD5: | 2DC61EB461DA1436F5D22BCE51425660 |
SHA1: | E1B79BCAB0F073868079D807FAEC669596DC46C1 |
SHA-256: | ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993 |
SHA-512: | A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 748 |
Entropy (8bit): | 7.249606135668305 |
Encrypted: | false |
SSDEEP: | 12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE |
MD5: | C4F558C4C8B56858F15C09037CD6625A |
SHA1: | EE497CC061D6A7A59BB66DEFEA65F9A8145BA240 |
SHA-256: | 39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781 |
SHA-512: | D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4720 |
Entropy (8bit): | 5.164796203267696 |
Encrypted: | false |
SSDEEP: | 96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk |
MD5: | D65EC06F21C379C87040B83CC1ABAC6B |
SHA1: | 208D0A0BB775661758394BE7E4AFB18357E46C8B |
SHA-256: | A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F |
SHA-512: | 8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
File Type: | |
Category: | modified |
Size (bytes): | 89 |
Entropy (8bit): | 4.224587757977836 |
Encrypted: | false |
SSDEEP: | 3:oVXUpjGrpEH8JOGXnEpjGrU7n:o9Up2p4qEp2g |
MD5: | 03064E3244A4514F8AA241D46356725E |
SHA1: | A7EB233C8F4C96653926FBB83A75850023AADEC4 |
SHA-256: | 46B83B9473554CD475F07746945F6E70B2F892E581BD04354024B0050F32E359 |
SHA-512: | 360B1BF6340283B8EF4D99A9E388CEADC24C27CF2C26B53D04070A97AA1CB464AFF958F5F394532E7B84089E7B3E3F5AE44CA385D895C24DE97F662870937FA6 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 38737 |
Entropy (8bit): | 0.37172545806157037 |
Encrypted: | false |
SSDEEP: | 48:kBqoxKAuvScS+tzxQ8I8wayDZayDbayDU:kBqoxKAuvScS+tzxQTbLpa |
MD5: | B1843149433FC41DF0EFE9263ED154F7 |
SHA1: | 4316C4FB4DB1846095CA848A325571CADE049A5D |
SHA-256: | 3822E398E5C6FB036F326BC322DE411C4A4A330BFAE0B7C52490F4A9C55A8C46 |
SHA-512: | B6CB2620D3D5120A0BE2336E07AB9E62D6F0BBCB92677731AF360400C80E53750E24A7897D154A52C435ACFAC44F43E45E8F2E3ABF7A773375BC47BE1DB1036D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 38737 |
Entropy (8bit): | 0.37049313974713743 |
Encrypted: | false |
SSDEEP: | 48:kBqoxKAuvScS+2wqD/I/wRyDZRyDbRyDU:kBqoxKAuvScS+2wqDwIwqX |
MD5: | 2C7140FAB24D2288CC34CC904663D3EF |
SHA1: | 4A7C0F021D2B0442BFE31BF1505DAFB109366005 |
SHA-256: | 8C0486AF2E2FCB5AE3E0CCC853BE52C25F361376541027BE62E0455BDD485DCC |
SHA-512: | 899E67BAC8F5749CA9312E3BBC24F2EF44B327E098984870FB3D93F4FB295FC851D76360C45906723B3563DADF8683D365355A2FF27C8CF8E492737D3281C944 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12933 |
Entropy (8bit): | 0.4092348646167777 |
Encrypted: | false |
SSDEEP: | 24:c9lLh9lLh9lIn9lIn9loET9loET9lWECM/PDy/O7nE:kBqoIjVx5 |
MD5: | F3FB9D4A2F87340D0E3B8FB18F3B2922 |
SHA1: | F039854E0419799C7653095805BF099BE1B22E89 |
SHA-256: | D69CC8BF9FEA5B6A2FD2333303DBAE774E3DCBEB9E21325FA3B050339375B93E |
SHA-512: | A5123B626E879D8100140439AC0BB7CC50B384BC6BC21C956BAD8E6D48F7FD66464B5420CF488A58E0D76F3A5D0076AA4B6F3B495A5E0B27310C5FE5A38EBF04 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\internet explorer\iexplore.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12933 |
Entropy (8bit): | 0.40841972555186656 |
Encrypted: | false |
SSDEEP: | 12:c9lCg5/9lCgeK9l26an9l26an9l8fRj9l8fRj9lTqOZOeq:c9lLh9lLh9lIn9lIn9loj9loj9lWOZ6 |
MD5: | 1819126BFFACD56CF744DB7D42C47680 |
SHA1: | 010E551B291C05657DBCBFA833109E2102DFF41A |
SHA-256: | C0DE1F200170DFA47C1C87589CAB0B63BF7A82A5AFEC9BE3A1425E7714B95539 |
SHA-512: | 843E114EFD05E6BB6D3A7655DF38A16CEB4B345A4CF293439664F1A11EBAA98F4B75287040EF514A3104DDF34E93824D196BE60FFAA85D4C82E4F31F93664EC1 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.614401628444266 |
TrID: |
|
File name: | nheQqfaVcS.exe |
File size: | 901960 |
MD5: | 2926d2ff62efaa0fbfdcc3fb7e77c6d2 |
SHA1: | dc5ebad8503139f8ce84927fda0ec9adb5b77200 |
SHA256: | 041d5d8edb606415cdcb6670b69ed4b2a2d80a8eb3e4dc75f0a9b2d558bedf60 |
SHA512: | 1c122a0a63f010e55765f32c0495611c48eec7f7f076a3644e4ddc37763b5c6984e3ef62cf27f3e2b771b8b3a4917e998a88e1ec94e679cdc891e490cc20ec07 |
SSDEEP: | 24576:g9PsA9vHAYobFGQdRHylSk61LXXhtxvZPmtk1/GqgLG4:NYKJk61bRrZPmWGG4 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Zm.f...5...5...5..r5...5..w5...5..v5...5...5...5.{.5...5..t5...5..v5...5..j5-..5..p5...5..u5...5Rich...5....................... |
File Icon |
---|
Icon Hash: | f0b0e8e4e4e8b2dc |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x1005725 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x1000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, NX_COMPAT |
Time Stamp: | 0x55E85856 [Thu Sep 3 14:25:26 2015 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 6e09f5ea9222053b840f418fc7379964 |
Authenticode Signature |
---|
Signature Valid: | false |
Signature Issuer: | CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB |
Signature Validation Error: | No signature was present in the subject |
Error Number: | -2146762496 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 8AB6A86211EE700AA961C3292ADB312D |
Thumbprint SHA-1: | A533DFA7E6AED2A9FFBE41FCEC5A8927A6EAFBBB |
Thumbprint SHA-256: | 9E0611728595A506CC2A55486FDD88ECA0971EF0B08F74CB3B3B6F5F6F3C7E27 |
Serial: | 239664C12BAEB5A6D787912888051392 |
Entrypoint Preview |
---|
Instruction |
---|
call 00007F5FBCB5E4C0h |
jmp 00007F5FBCB573D5h |
push 00000014h |
push 0108A9F8h |
call 00007F5FBCB5C3AAh |
call 00007F5FBCB57BABh |
movzx esi, ax |
push 00000002h |
call 00007F5FBCB5E453h |
pop ecx |
mov eax, 00005A4Dh |
cmp word ptr [01000000h], ax |
je 00007F5FBCB573D6h |
xor ebx, ebx |
jmp 00007F5FBCB57405h |
mov eax, dword ptr [0100003Ch] |
cmp dword ptr [eax+01000000h], 00004550h |
jne 00007F5FBCB573BDh |
mov ecx, 0000010Bh |
cmp word ptr [eax+01000018h], cx |
jne 00007F5FBCB573AFh |
xor ebx, ebx |
cmp dword ptr [eax+01000074h], 0Eh |
jbe 00007F5FBCB573DBh |
cmp dword ptr [eax+010000E8h], ebx |
setne bl |
mov dword ptr [ebp-1Ch], ebx |
call 00007F5FBCB5C2FDh |
test eax, eax |
jne 00007F5FBCB573DAh |
push 0000001Ch |
call 00007F5FBCB574F7h |
pop ecx |
call 00007F5FBCB5D7BBh |
test eax, eax |
jne 00007F5FBCB573DAh |
push 00000010h |
call 00007F5FBCB574E6h |
pop ecx |
call 00007F5FBCB5E4CCh |
and dword ptr [ebp-04h], 00000000h |
call 00007F5FBCB5DDB7h |
test eax, eax |
jns 00007F5FBCB573DAh |
push 0000001Bh |
call 00007F5FBCB574CCh |
pop ecx |
call dword ptr [0106A19Ch] |
mov dword ptr [010AC3A8h], eax |
call 00007F5FBCB5E4E7h |
mov dword ptr [01097A94h], eax |
call 00007F5FBCB5E0A4h |
test eax, eax |
jns 00007F5FBCB573DAh |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8ccf8 | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xad000 | 0x41028 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0xda000 | 0x2348 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xef000 | 0x4d50 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6a3b0 | 0x38 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x87940 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6a000 | 0x328 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x681b9 | 0x68200 | False | 0.623954269208 | data | 6.85141828955 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x6a000 | 0x23f8a | 0x24000 | False | 0.64170328776 | data | 6.36645327435 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x8e000 | 0x1e3ac | 0x7a00 | False | 0.527792008197 | data | 6.51367686644 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0xad000 | 0x41028 | 0x41200 | False | 0.240744211852 | data | 5.36312234805 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xef000 | 0x4d50 | 0x4e00 | False | 0.730168269231 | data | 6.65913941378 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xad434 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0xbdc5c | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16580607, next used block 4294917888 | English | United States |
RT_ICON | 0xc1e84 | 0x25a8 | data | English | United States |
RT_ICON | 0xc442c | 0x10a8 | data | English | United States |
RT_ICON | 0xc54d4 | 0x988 | data | English | United States |
RT_ICON | 0xc5e5c | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_ICON | 0xc62c4 | 0x10828 | dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0xd6aec | 0x94a8 | data | English | United States |
RT_ICON | 0xdff94 | 0x5488 | data | English | United States |
RT_ICON | 0xe541c | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 520093696 | English | United States |
RT_ICON | 0xe9644 | 0x25a8 | data | English | United States |
RT_ICON | 0xebbec | 0x10a8 | data | English | United States |
RT_ICON | 0xecc94 | 0x988 | data | English | United States |
RT_ICON | 0xed61c | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_STRING | 0xeda84 | 0xbc | data | English | United States |
RT_STRING | 0xedb40 | 0x150 | data | English | United States |
RT_GROUP_ICON | 0xedc90 | 0x76 | data | English | United States |
RT_GROUP_ICON | 0xedd08 | 0x5a | data | English | United States |
RT_VERSION | 0xedd64 | 0x2c4 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetLastError, VirtualProtectEx, LoadLibraryA, OpenMutexA, SetConsoleOutputCP, DeviceIoControl, GetModuleFileNameA, CloseHandle, DeleteFileA, WriteConsoleW, SetStdHandle, GetStringTypeW, LoadLibraryW, WaitForMultipleObjectsEx, GetStartupInfoA, GetConsoleMode, GetConsoleCP, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, HeapReAlloc, CreateProcessA, Sleep, GetTickCount, SetFilePointerEx, GetCurrentProcess, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, ReleaseSemaphore, SetProcessAffinityMask, VirtualProtect, VirtualFree, VirtualAlloc, GetVersionExW, GetModuleHandleA, FreeLibraryAndExitThread, FreeLibrary, GetThreadTimes, OutputDebugStringW, FatalAppExitA, SetConsoleCtrlHandler, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetFileType, HeapSize, GetProcessHeap, GetModuleFileNameW, WriteFile, GetStdHandle, WideCharToMultiByte, MultiByteToWideChar, AreFileApisANSI, GetModuleHandleExW, ExitProcess, IsDebuggerPresent, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SetThreadPriority, SwitchToThread, SignalObjectAndWait, WaitForSingleObjectEx, SetEvent, DuplicateHandle, WaitForSingleObject, GetCurrentThread, GetCurrentThreadId, GetExitCodeThread, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapAlloc, EncodePointer, DecodePointer, GetCommandLineA, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, CreateSemaphoreW, CreateThread, ExitThread, LoadLibraryExW, RaiseException, RtlUnwind, HeapFree, TryEnterCriticalSection, CreateTimerQueue, RtlCaptureStackBackTrace, CreateFileW |
USER32.dll | SetWindowTextA, CallNextHookEx, LoadBitmapA, GetClassInfoExA, EnumWindows, GetIconInfo, IsDialogMessageA, GetWindowLongA, CreateWindowExA, ReleaseDC, DefWindowProcA, CheckDlgButton, SendMessageA |
ole32.dll | OleUninitialize, CoUninitialize, CoSuspendClassObjects, OleSetContainedObject, StgCreateDocfile, OleInitialize, CoInitialize |
COMCTL32.dll | ImageList_LoadImageA, PropertySheetA, CreatePropertySheetPageA |
WINSPOOL.DRV | DeletePortA, SetPrinterDataA, DeleteFormA, SetPortA, SetPrinterDataExA, AddMonitorA, ScheduleJob, AddPrinterConnectionA, ReadPrinter, AddPrinterDriverA, GetPrinterDataA, ResetPrinterA, PrinterMessageBoxA, DeletePrintProcessorA, GetPrinterDriverDirectoryA, OpenPrinterA, AddPortA, ConfigurePortA, GetPrinterDataExA, GetJobA, AddPrinterDriverExA, ClosePrinter, DeletePrinterDataExA, DeletePrinterConnectionA, DeletePrintProvidorA, StartPagePrinter, AbortPrinter, GetPrintProcessorDirectoryA, StartDocPrinterA, GetPrinterA, AddPrinterA, DeletePrinter, DeleteMonitorA, GetPrinterDriverA, AddFormA, DeletePrinterDriverA, AddPrintProcessorA, AddPrintProvidorA, SetFormA, GetFormA, DeletePrinterDataA, AddJobA, FlushPrinter, DeletePrinterDriverExA, SetJobA, FindClosePrinterChangeNotification, DeletePrinterKeyA |
sfc.dll | SfcIsFileProtected |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | (C) 2011 Helpwould Use Corporation. All rights reserved. |
FileVersion | 14.1.55.63 |
CompanyName | Helpwould Use Corporation |
ProductName | Deathice |
ProductVersion | 14.1.55.63 |
FileDescription | Deathice The Certain |
Translation | 0x0409 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 10, 2021 07:27:39.750437975 CEST | 52441 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:27:39.802483082 CEST | 53 | 52441 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:03.941092014 CEST | 62176 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:03.973735094 CEST | 53 | 62176 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:07.658811092 CEST | 59596 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:07.696305990 CEST | 53 | 59596 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:09.204570055 CEST | 65296 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:09.240426064 CEST | 53 | 65296 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:09.247970104 CEST | 63183 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:09.274013996 CEST | 53 | 63183 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:09.286760092 CEST | 60151 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:09.311476946 CEST | 53 | 60151 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:20.653501987 CEST | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:20.687736034 CEST | 53 | 56969 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:27.698112965 CEST | 55161 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:27.748544931 CEST | 53 | 55161 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:30.802565098 CEST | 54757 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:30.835525990 CEST | 53 | 54757 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:37.671355009 CEST | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:37.705704927 CEST | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:38.718317032 CEST | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:38.751202106 CEST | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:39.720861912 CEST | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:39.747662067 CEST | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:40.197954893 CEST | 60075 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:40.243762970 CEST | 53 | 60075 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:41.719208002 CEST | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:41.760893106 CEST | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:44.987360954 CEST | 55016 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:45.026432037 CEST | 53 | 55016 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:45.767276049 CEST | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:45.800985098 CEST | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:47.821943045 CEST | 64345 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:47.859509945 CEST | 53 | 64345 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:28:48.851515055 CEST | 57128 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:28:48.894433975 CEST | 53 | 57128 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:29:11.492307901 CEST | 54791 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:29:11.526818037 CEST | 53 | 54791 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:29:12.638621092 CEST | 50463 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:29:12.675548077 CEST | 53 | 50463 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:29:12.688169003 CEST | 50394 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:29:12.725872040 CEST | 53 | 50394 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:29:12.749125004 CEST | 58530 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:29:12.782552004 CEST | 53 | 58530 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:29:15.815572977 CEST | 53813 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:29:15.851185083 CEST | 53 | 53813 | 8.8.8.8 | 192.168.2.5 |
Sep 10, 2021 07:29:17.516053915 CEST | 63732 | 53 | 192.168.2.5 | 8.8.8.8 |
Sep 10, 2021 07:29:17.551978111 CEST | 53 | 63732 | 8.8.8.8 | 192.168.2.5 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 10, 2021 07:28:09.204570055 CEST | 192.168.2.5 | 8.8.8.8 | 0x8102 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:28:09.247970104 CEST | 192.168.2.5 | 8.8.8.8 | 0x3467 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:28:09.286760092 CEST | 192.168.2.5 | 8.8.8.8 | 0xd1fe | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:28:20.653501987 CEST | 192.168.2.5 | 8.8.8.8 | 0xcc39 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:28:30.802565098 CEST | 192.168.2.5 | 8.8.8.8 | 0x2628 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:29:12.638621092 CEST | 192.168.2.5 | 8.8.8.8 | 0x3cc1 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:29:12.688169003 CEST | 192.168.2.5 | 8.8.8.8 | 0xf6a9 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:29:12.749125004 CEST | 192.168.2.5 | 8.8.8.8 | 0x4222 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 10, 2021 07:28:09.240426064 CEST | 8.8.8.8 | 192.168.2.5 | 0x8102 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:28:09.274013996 CEST | 8.8.8.8 | 192.168.2.5 | 0x3467 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:28:09.311476946 CEST | 8.8.8.8 | 192.168.2.5 | 0xd1fe | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:28:20.687736034 CEST | 8.8.8.8 | 192.168.2.5 | 0xcc39 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:28:30.835525990 CEST | 8.8.8.8 | 192.168.2.5 | 0x2628 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:29:12.675548077 CEST | 8.8.8.8 | 192.168.2.5 | 0x3cc1 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:29:12.725872040 CEST | 8.8.8.8 | 192.168.2.5 | 0xf6a9 | Name error (3) | none | none | A (IP address) | IN (0x0001) | |
Sep 10, 2021 07:29:12.782552004 CEST | 8.8.8.8 | 192.168.2.5 | 0x4222 | Name error (3) | none | none | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 07:27:39 |
Start date: | 10/09/2021 |
Path: | C:\Users\user\Desktop\nheQqfaVcS.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1000000 |
File size: | 901960 bytes |
MD5 hash: | 2926D2FF62EFAA0FBFDCC3FB7E77C6D2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 07:28:07 |
Start date: | 10/09/2021 |
Path: | C:\Program Files\internet explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff640a80000 |
File size: | 823560 bytes |
MD5 hash: | 6465CB92B25A7BC1DF8E01D8AC5E7596 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 07:28:07 |
Start date: | 10/09/2021 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xaa0000 |
File size: | 822536 bytes |
MD5 hash: | 071277CC2E3DF41EEEA8013E2AB58D5A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 07:29:10 |
Start date: | 10/09/2021 |
Path: | C:\Program Files\internet explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff640a80000 |
File size: | 823560 bytes |
MD5 hash: | 6465CB92B25A7BC1DF8E01D8AC5E7596 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 07:29:11 |
Start date: | 10/09/2021 |
Path: | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xaa0000 |
File size: | 822536 bytes |
MD5 hash: | 071277CC2E3DF41EEEA8013E2AB58D5A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|