Play interactive tourEdit tour
Windows Analysis Report 45I8GbQlUj
Overview
General Information
Detection
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
.NET source code contains potential unpacker
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Drops PE files with benign system names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Stores files to the Windows start menu directory
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Dropped File: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Key value queried: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Section loaded: |
Source: | Mutant created: |
Source: | File opened: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation: |
---|
.NET source code contains potential unpacker | Show sources |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Static PE information: |
Persistence and Installation Behavior: |
---|
Drops PE files with benign system names | Show sources |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Creates an undocumented autostart registry key | Show sources |
Source: | Key value created or modified: | Jump to behavior |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Key value created or modified: | Jump to behavior |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Process information queried: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Binary or memory string: |
Source: | Process token adjusted: | ||
Source: | Process token adjusted: |
Source: | Memory allocated: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Key value queried: |
Source: | WMI Queries: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation221 | Registry Run Keys / Startup Folder11 | Registry Run Keys / Startup Folder11 | Masquerading11 | OS Credential Dumping | Security Software Discovery221 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Standard Port1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Modify Registry1 | LSASS Memory | Process Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Disable or Modify Tools1 | Security Account Manager | Virtualization/Sandbox Evasion131 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Virtualization/Sandbox Evasion131 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol1 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing1 | LSA Secrets | System Information Discovery213 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Timestomp1 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
25% | Virustotal | Browse | ||
21% | ReversingLabs | ByteCode-MSIL.Backdoor.Zlugin | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
25% | Virustotal | Browse | ||
21% | ReversingLabs | ByteCode-MSIL.Backdoor.Zlugin |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
74.201.28.62 | unknown | United States | 35913 | DEDIPATH-LLCUS | true |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 553487 |
Start date: | 15.01.2022 |
Start time: | 01:13:15 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 41s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 45I8GbQlUj (renamed file extension from none to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal92.evad.winEXE@1/2@0/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
01:14:05 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\45I8GbQlUj.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 54272 |
Entropy (8bit): | 4.125149292696976 |
Encrypted: | false |
SSDEEP: | 192:s7yxMfjf6NrLqKZ6mXS9LzL1pvULIRPqY2F3991ZuBhyY8PGCz9QwAOSZCGQyBbf:KyufjSLq86mXS9LzLdqY2LHZ4cZA |
MD5: | 1B1E4286625BB189A526E910F2031C7B |
SHA1: | 650C0550F12C65D9841D10AB589FF39261018957 |
SHA-256: | C9D7CB68DEC80469C3C03B0E90C7AF1972462CA7779424DB3BFD9D44AEBAA624 |
SHA-512: | 68F2366606B658FDDB2B5E9BAE2E6931FB455A230F8A4813EACB38A3D7853B9640F46FE9EE6FFD9862A509558B66C30A3494CB7231C3EF7CD784950771273155 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\45I8GbQlUj.exe |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 4.125149292696976 |
TrID: |
|
File name: | 45I8GbQlUj.exe |
File size: | 54272 |
MD5: | 1b1e4286625bb189a526e910f2031c7b |
SHA1: | 650c0550f12c65d9841d10ab589ff39261018957 |
SHA256: | c9d7cb68dec80469c3c03b0e90c7af1972462ca7779424db3bfd9d44aebaa624 |
SHA512: | 68f2366606b658fddb2b5e9bae2e6931fb455a230f8a4813eacb38a3d7853b9640f46fe9ee6ffd9862a509558b66c30a3494cb7231c3ef7cd784950771273155 |
SSDEEP: | 192:s7yxMfjf6NrLqKZ6mXS9LzL1pvULIRPqY2F3991ZuBhyY8PGCz9QwAOSZCGQyBbf:KyufjSLq86mXS9LzLdqY2LHZ4cZA |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vL..........."...0..............5... ...@....@.. ....................... ............@................................ |
File Icon |
---|
Icon Hash: | 00928e8e868eb000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x403512 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x964C769C [Sat Nov 27 02:38:20 2049 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x34c0 | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4000 | 0xb95c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x10000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x34a4 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x1518 | 0x1600 | False | 0.545632102273 | data | 5.4073053016 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0x4000 | 0xb95c | 0xba00 | False | 0.0978032594086 | data | 3.78149617358 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x10000 | 0xc | 0x200 | False | 0.044921875 | data | 0.0815394123432 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x41e0 | 0x8db | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
RT_ICON | 0x4acc | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295 | ||
RT_ICON | 0x8d04 | 0x25a8 | data | ||
RT_ICON | 0xb2bc | 0x1a68 | data | ||
RT_ICON | 0xcd34 | 0x10a8 | data | ||
RT_ICON | 0xddec | 0x988 | data | ||
RT_ICON | 0xe784 | 0x6b8 | data | ||
RT_ICON | 0xee4c | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0xf2c4 | 0x76 | data | ||
RT_VERSION | 0xf34c | 0x40e | data | ||
RT_MANIFEST | 0xf76c | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | (c) 2000-2021 Martin Prikryl |
Assembly Version | 5.19.2.11614 |
InternalName | KB5009812.exe |
FileVersion | 5.19.2.11614 |
CompanyName | Martin Prikryl |
LegalTrademarks | |
Comments | WinSCP: SFTP, FTP, WebDAV, S3 and SCP client |
ProductName | WinSCP |
ProductVersion | 5.19.2.11614 |
FileDescription | WinSCP: SFTP, FTP, WebDAV, S3 and SCP client |
OriginalFilename | KB5009812.exe |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
01/15/22-01:14:06.276603 | TCP | 2034631 | ET TROJAN Maldoc Activity (set) | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 15, 2022 01:14:06.172054052 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.273446083 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.273605108 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.276602983 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.379652977 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.379785061 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.379858017 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.379894972 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.379923105 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.379991055 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.379996061 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.380064011 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.380121946 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.380125999 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.380198956 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.380254030 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.380259037 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.380323887 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.380381107 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.480017900 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480077982 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480098963 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480135918 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480155945 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480178118 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480199099 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480220079 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480238914 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.480257988 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480278015 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.480284929 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480284929 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.480308056 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480331898 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480340958 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.480357885 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480386019 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.480389118 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480412960 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480436087 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480448961 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.480458021 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480482101 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480494022 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.480504990 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480528116 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.480532885 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.480575085 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.578672886 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.578723907 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.578763008 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.578788996 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.578802109 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.578844070 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.578857899 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.578883886 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.578922033 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.578928947 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.578963041 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.578999996 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579011917 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579039097 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579077005 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579091072 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579117060 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579155922 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579164982 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579194069 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579232931 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579241991 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579272032 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579308987 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579317093 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579348087 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579385996 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579394102 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579425097 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579464912 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579472065 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579502106 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579540968 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579546928 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579581022 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579619884 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579628944 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579658985 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579696894 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579709053 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579736948 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579777002 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579787970 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579814911 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579854012 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579866886 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579891920 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579929113 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.579941988 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
Jan 15, 2022 01:14:06.579967976 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.580004930 CET | 80 | 49760 | 74.201.28.62 | 192.168.2.4 |
Jan 15, 2022 01:14:06.580018044 CET | 49760 | 80 | 192.168.2.4 | 74.201.28.62 |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 15, 2022 01:14:23.194775105 CET | 8.8.8.8 | 192.168.2.4 | 0x52b2 | No error (0) | a-0019.standard.a-msedge.net | CNAME (Canonical name) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.4 | 49760 | 74.201.28.62 | 80 | C:\Users\user\Desktop\45I8GbQlUj.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 15, 2022 01:14:06.276602983 CET | 875 | OUT | |
Jan 15, 2022 01:14:06.379652977 CET | 1011 | IN |