Edit tour
Windows
Analysis Report
pago del 20.01.2022.PDF______________________________________.exe
Overview
General Information
Detection
AgentTesla GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- pago del 20.01.2022.PDF______________________________________.exe (PID: 6452 cmdline:
"C:\Users\ user\Deskt op\pago de l 20.01.20 22.PDF____ __________ __________ __________ ____.exe" MD5: 4A3D98A8485779447C637CAF1CCAD892) - CasPol.exe (PID: 2132 cmdline:
"C:\Users\ user\Deskt op\pago de l 20.01.20 22.PDF____ __________ __________ __________ ____.exe" MD5: F866FC1C2E928779C7119353C3091F0C) - conhost.exe (PID: 2976 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
{"Payload URL": "https://drive.google.com/uc?export=downl"}
{"Exfil Mode": "SMTP", "SMTP Info": "droidyandex@centraldefiltros.clicui4cu2@@mail.centraldefiltros.cldroidyandexreports@centraldefiltros.cl"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
LokiBot_Dropper_Packed_R11_Feb18 | Auto-generated rule - file scan copy.pdf.r11 | Florian Roth |
| |
LokiBot_Dropper_Packed_R11_Feb18 | Auto-generated rule - file scan copy.pdf.r11 | Florian Roth |
| |
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
Click to see the 2 entries |
⊘No Sigma rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | URLs: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary or memory string: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Section loaded: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Section loaded: |
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | WMI Queries: |
Source: | WMI Queries: |
Source: | Thread sleep time: |
Source: | Last function: |
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | WMI Queries: |
Source: | Process information queried: |
Source: | Thread delayed: |
Source: | System information queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging |
---|
Source: | Thread information set: | ||
Source: | Thread information set: |
Source: | Process token adjusted: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Key value queried: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 211 Windows Management Instrumentation | Path Interception | 112 Process Injection | 1 Disable or Modify Tools | 1 Input Capture | 411 Security Software Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 331 Virtualization/Sandbox Evasion | LSASS Memory | 2 Process Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 112 Process Injection | Security Account Manager | 331 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Obfuscated Files or Information | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 113 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 File Deletion | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 114 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
54% | Virustotal | Browse | ||
24% | Metadefender | Browse | ||
57% | ReversingLabs | Win32.Trojan.AgentTesla |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
drive.google.com | 216.58.205.78 | true | false | high | |
googlehosted.l.googleusercontent.com | 216.58.198.33 | true | false | high | |
doc-00-6k-docs.googleusercontent.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
216.58.198.33 | googlehosted.l.googleusercontent.com | United States | 15169 | GOOGLEUS | false | |
216.58.205.78 | drive.google.com | United States | 15169 | GOOGLEUS | false |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 558577 |
Start date: | 24.01.2022 |
Start time: | 08:53:31 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 1s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | pago del 20.01.2022.PDF______________________________________.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 28 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@4/1@2/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
- TCP Packets have been reduced to 100
- Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
08:55:13 | API Interceptor |
Process: | C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 49152 |
Entropy (8bit): | 5.035543586378022 |
Encrypted: | false |
SSDEEP: | 768:F5mdjxOWaG/KFWSBiGVzG8e83MRJUg/3ZRIIIIIIIIIIIIII:FEtxOtDtBb9+Jp/3ZRIIIIIIIIIIIIII |
MD5: | 84512088E95A81B41D2FF68D0AE6DDE4 |
SHA1: | 5F6EAABC8823AF8FFF10F5C27D17EA599FE5B6CE |
SHA-256: | 942B25782584C3F0C2FB08B4F3461248EAC7A7709673609B2083A86DD561D8E7 |
SHA-512: | ED06A5CC161B7D8F9502AB3B74842B104126532F7829B10076301DC54D5D8E6E82B32D4E452B6140B1CCA7AA4256E888BE6D630EADC9F5273EE5A4D552D48777 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.820365390015966 |
TrID: |
|
File name: | pago del 20.01.2022.PDF______________________________________.exe |
File size: | 218216 |
MD5: | 4a3d98a8485779447c637caf1ccad892 |
SHA1: | 972e617044f41500d54c0a9bc9304094fac5f1b4 |
SHA256: | ab9d325dda36e6f2f7f74aa65c067a67d24b6247271b27d997520593b7105d7d |
SHA512: | 40de4659a252626352a0fe42ce4bf25b3914bc660a4e5c38ba821665721a00f8a222512914a86e39a24621b568b1fbd340d1f0b63f731889daf22a875602aa20 |
SSDEEP: | 3072:RIg+JpfZRIIIIIIIIIIIIIIFypPUZoSP4uj3dZRIIIIIIIIIIIIIIy+JpfIl:ugMhJCSP4iT0MQl |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........M...#...#...#.&.-...#...*...#.......#.Rich..#.........PE..L......a.................`...................p....@................ |
Icon Hash: | 001000b2b230d0f0 |
Entrypoint: | 0x401510 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x61EB05A4 [Fri Jan 21 19:12:36 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 076daaa528b1117cda2045bea4524014 |
Signature Valid: | false |
Signature Issuer: | E=BATTERER@unhoping.PAA, CN=Weenong7, OU=misplays, O=Informationsmedarbejder5, L=BAL, S=VIRKNINGSLSE, C=SJ |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 1467D1C1E6DD4034DFDBE58A23B8FC35 |
Thumbprint SHA-1: | 1AC6D9779E9942A75B1E60A4BD5D45A71DBDED15 |
Thumbprint SHA-256: | 3FD5B59E60075347EA5F82B01C8C65BE10162134A329C5C71EDB89DC602A7D9C |
Serial: | 00 |
Instruction |
---|
push 0040CEB8h |
call 00007F3D89259453h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add ch, bl |
std |
inc ecx |
add al, FFFFFFE9h |
call 00007F3DC1E04DB0h |
sbb bh, ah |
push ss |
call far 0000h : 000000D7h |
add byte ptr [ecx], al |
add byte ptr [eax], al |
add byte ptr [edx+00h], al |
push es |
push eax |
add dword ptr [ecx], 50h |
jc 00007F3D892594C7h |
insb |
jne 00007F3D892594D0h |
arpl word ptr [eax+36h], bp |
add byte ptr [eax], al |
add byte ptr [ebx+ebp+000002FCh], bl |
add byte ptr [eax], al |
dec esp |
xor dword ptr [eax], eax |
sbb al, DBh |
push edx |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x25cb4 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x29000 | 0xb638 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x34000 | 0x1468 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x198 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x252d4 | 0x26000 | False | 0.491217362253 | data | 6.04657240247 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x27000 | 0x178c | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x29000 | 0xb638 | 0xc000 | False | 0.451110839844 | data | 5.04272884383 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x33351 | 0x12e7 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
RT_ICON | 0x32ce9 | 0x668 | data | ||
RT_ICON | 0x32a01 | 0x2e8 | dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0x328d9 | 0x128 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x30c25 | 0x1cb4 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
RT_ICON | 0x2fd7d | 0xea8 | data | ||
RT_ICON | 0x2f4d5 | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0x2ef6d | 0x568 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x2d0ce | 0x1e9f | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | ||
RT_ICON | 0x2ab26 | 0x25a8 | data | ||
RT_ICON | 0x29a7e | 0x10a8 | data | ||
RT_ICON | 0x29616 | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x29568 | 0xae | data | ||
RT_VERSION | 0x29300 | 0x268 | MS Windows COFF Motorola 68000 object file | Chinese | Taiwan |
DLL | Import |
---|---|
MSVBVM60.DLL | __vbaVarTstGt, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaStrI4, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, __vbaStrErrVarCopy, _adj_fprem1, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, __vbaStrR8, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaUI1I4, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr |
Description | Data |
---|---|
Translation | 0x0404 0x04b0 |
LegalCopyright | Catapult Fas |
InternalName | DYPPEDES |
FileVersion | 1.00 |
CompanyName | Catapult Fas |
ProductName | Catapult Fas |
ProductVersion | 1.00 |
OriginalFilename | DYPPEDES.exe |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | Taiwan |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 24, 2022 08:55:02.561913967 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:02.561959982 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:02.563148022 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:02.592318058 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:02.592367887 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:02.659701109 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:02.659854889 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:02.660583019 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:02.660665989 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:03.099550962 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:03.099611044 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:03.099873066 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:03.099957943 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:03.102468014 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:03.145948887 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:03.485596895 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:03.485759020 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:03.485780001 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:03.485868931 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:03.486128092 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:03.486197948 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:03.486275911 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:03.495464087 CET | 49785 | 443 | 192.168.2.3 | 216.58.205.78 |
Jan 24, 2022 08:55:03.495493889 CET | 443 | 49785 | 216.58.205.78 | 192.168.2.3 |
Jan 24, 2022 08:55:03.594984055 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:03.595048904 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:03.595218897 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:03.597106934 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:03.597132921 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:03.662939072 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:03.663069010 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:03.663753986 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:03.663831949 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:03.671411037 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:03.671436071 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:03.671773911 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:03.671964884 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:03.672720909 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:03.713866949 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.078701019 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.078996897 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.080641031 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.080719948 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.082144022 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.082385063 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.085043907 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.085205078 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.085226059 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.085331917 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.088746071 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.088901043 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.094590902 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.094871044 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.099198103 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.099390984 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.099430084 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.099519968 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.099792004 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.099884987 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.099898100 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.099982977 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.101327896 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.101424932 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.101438999 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.101535082 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.102823973 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.102930069 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.102945089 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.103043079 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.104269028 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.104379892 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.104393005 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.104456902 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.105796099 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.105916023 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.105933905 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.106061935 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.107259035 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.107373953 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.107388020 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.107489109 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.108752966 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.108845949 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.108860016 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.108948946 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.110265017 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.110398054 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.110411882 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.110496998 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.111712933 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.111810923 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.111821890 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.111886978 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.113200903 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.113301039 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.113313913 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.113384962 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.114706039 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Jan 24, 2022 08:55:04.114811897 CET | 49786 | 443 | 192.168.2.3 | 216.58.198.33 |
Jan 24, 2022 08:55:04.114825964 CET | 443 | 49786 | 216.58.198.33 | 192.168.2.3 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 24, 2022 08:55:02.509996891 CET | 49559 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 24, 2022 08:55:02.537395954 CET | 53 | 49559 | 8.8.8.8 | 192.168.2.3 |
Jan 24, 2022 08:55:03.562330961 CET | 52650 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 24, 2022 08:55:03.590068102 CET | 53 | 52650 | 8.8.8.8 | 192.168.2.3 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 24, 2022 08:55:02.509996891 CET | 192.168.2.3 | 8.8.8.8 | 0x3509 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2022 08:55:03.562330961 CET | 192.168.2.3 | 8.8.8.8 | 0x8f0b | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 24, 2022 08:55:02.537395954 CET | 8.8.8.8 | 192.168.2.3 | 0x3509 | No error (0) | 216.58.205.78 | A (IP address) | IN (0x0001) | ||
Jan 24, 2022 08:55:03.590068102 CET | 8.8.8.8 | 192.168.2.3 | 0x8f0b | No error (0) | googlehosted.l.googleusercontent.com | CNAME (Canonical name) | IN (0x0001) | ||
Jan 24, 2022 08:55:03.590068102 CET | 8.8.8.8 | 192.168.2.3 | 0x8f0b | No error (0) | 216.58.198.33 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49785 | 216.58.205.78 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-01-24 07:55:03 UTC | 0 | OUT | |
2022-01-24 07:55:03 UTC | 0 | IN | |
2022-01-24 07:55:03 UTC | 1 | IN | |
2022-01-24 07:55:03 UTC | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49786 | 216.58.198.33 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-01-24 07:55:03 UTC | 2 | OUT | |
2022-01-24 07:55:04 UTC | 2 | IN |