Windows
Analysis Report
OatAFVzm15.bin
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- OatAFVzm15.exe (PID: 3988 cmdline:
"C:\Users\ user\Deskt op\OatAFVz m15.exe" MD5: B741DAECA2EDB8D539BE2938E5F9490F) - WerFault.exe (PID: 2104 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 988 -s 224 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Citadel | Yara detected Citadel | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Process created: |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | File created: | Jump to behavior |
Source: | Key opened: |
Source: | Classification label: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Process queried: |
Source: | Binary or memory string: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Software Packing | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
80% | Virustotal | Browse | ||
57% | Metadefender | Browse | ||
92% | ReversingLabs | Win32.Trojan.Zeus | ||
100% | Avira | TR/Spy.Gen | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Spy.Gen | Download File | ||
100% | Avira | TR/Spy.Gen | Download File | ||
100% | Avira | TR/Spy.Gen | Download File | ||
100% | Avira | TR/Spy.Gen | Download File |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 691234 |
Start date and time: | 2022-08-27 03:53:24 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 45s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | OatAFVzm15.bin (renamed file extension from bin to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 21 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.bank.winEXE@2/4@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.21
- Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, login.live.com, eudb.ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
- Not all processes where analyzed, report is missing behavior information
Time | Type | Description |
---|---|---|
03:54:29 | API Interceptor |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OatAFVzm15.exe_a26318744316683b0d1fe53934c2b47109f797_532d33bc_08651c8c\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8482562292103298 |
Encrypted: | false |
SSDEEP: | 96:+E+F05lwhXNhM1Dg3f6UpXIQcQmc6NcEgcw3M+HbHg/opAnQ0DF16FaqXOf6qim1:/+O7whOiH4JqZjh/u7sDOS274It0i |
MD5: | 4B7B7F0537F809D79C433468B89E9372 |
SHA1: | C3A4FA4203802588B7C626EE51AD6DA3407F0AE9 |
SHA-256: | B9D5E71EC9055AAE80452DC0238762C9B4B97F2CE7D4CB25BC9D8BBD4CC471C4 |
SHA-512: | C2592A2600AB52EDC55CFB1E33948C389B384C2831312ECC40439DF959838D2AD9B71B7BD0862E3997D2C185CFC582EDC68BC6286232877C6D663CED2C7D4B07 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 36808 |
Entropy (8bit): | 1.960207501755446 |
Encrypted: | false |
SSDEEP: | 96:5m8UhK981/jwmoazYaUOtli76Fcn/s93kIdkD2RpuseAiekdSVXqaen3+FTJSeXw:LUbjiazJtlO6FxuGkdSVXWn3+tgPjHh |
MD5: | EB117393F426614F125FC2F4DB62A75A |
SHA1: | FCBE6606A4E25DA6CFED8F62B3142AB6A0E1EDA3 |
SHA-256: | CC2806C3210AE4AF53DCDD0E484806DD201CC3EFEC9355CF0CCDF8BB1A4AF945 |
SHA-512: | 41A040E299F34D25DD8FC02DD217BF8556EF494FB639118820F462EF8D03E3E7BE16E8152E7B331FB19B3CC072573642E348728FCD32A3F7A918794E349AB663 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8294 |
Entropy (8bit): | 3.693442422335981 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNizu6Yx6YqbSUmNgmf2QjSnCpDN89bYNsfPEom:RrlsNi66+6YGSUmNgmf2QjSVYGfPK |
MD5: | 23148935006202ED488938B09339292F |
SHA1: | 7AB9E12EE777245AFAA33F49BCDCC478A3C20D1C |
SHA-256: | D61D2A1E7D65C026EABD4B17ED1A8AC50828BB5C254BAE793FE4934204C676B4 |
SHA-512: | 25C44CE924F479A5E3B15141AE5A43484DE0D24236E87B88D3DDF8ACFDD7B2AAD6B0B3A9752D298C36CD7331962486E32FEDA8E61C4F1653992E0CD985405CEB |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4567 |
Entropy (8bit): | 4.458512499662193 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsfJgtWI901kWgc8sqYjL+8fm8M4JPlF4w+q8v1jusNVMlNd:uITfBn19grsqYP7JRKju2VMlNd |
MD5: | 0FB843827EE07A725FE3024B7C8CFB8F |
SHA1: | 6830F95E3E914FD2C72698FF7FC59BC9B80D1F61 |
SHA-256: | F980C1D6BD0DF238297434C8FCF0DF6B429F066FF5FC3E857F1518C50175FECF |
SHA-512: | BDD63C12640EBC14797E8068A56D1EE76C17E3A0CA28C00C5ACB85CB3E39D34B169F3889663389A59EDDB71A56A8AAD763BC573B88BD10E16FB4E31E5A5978D3 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 3.4408516130120472 |
TrID: |
|
File name: | OatAFVzm15.exe |
File size: | 267264 |
MD5: | b741daeca2edb8d539be2938e5f9490f |
SHA1: | 4affabf1f09e55a1777fedbe83fc26905943045c |
SHA256: | c688c3da0b3fe263e2441f884d47966bb74875c94564e7694aa1c462e5c9435f |
SHA512: | f43fac8e1ab37c70c6633cd558fd9d164fea51cd1835086cdaf42aff60d2b444626b609d4af5f627953913bcf6fc4a0dd1bb39737dc0e23b1bd3bd61930edd20 |
SSDEEP: | 3072:E/DD2zNc31I3tgt89I51ceYaQHK3HEEooVj9k:E/hCdgtR569aQuHEcVj9 |
TLSH: | 6844BF5BB98184B7D5BA3B709DA8B23663FF8D24242DCD87E7580D993831861F22D307 |
File Content Preview: | MZ......................@...............................................................................................................................................................................................................................PE..L.. |
Icon Hash: | 00828e8e8686b000 |
Entrypoint: | 0x403ee5 |
Entrypoint Section: | .data |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x408FF235 [Wed Apr 28 18:04:37 2004 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 7 |
OS Version Minor: | 2 |
File Version Major: | 7 |
File Version Minor: | 2 |
Subsystem Version Major: | 7 |
Subsystem Version Minor: | 2 |
Import Hash: | f3b6157e0baac9b50d25d58c877c29ad |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 6Ch |
push esi |
push dword ptr [ebp+0Ch] |
lea eax, dword ptr [ebp-68h] |
push eax |
push dword ptr [ebp+08h] |
call 00007F45A86E8FB7h |
lea eax, dword ptr [ebp-68h] |
push eax |
push 00000000h |
push 0041A2CCh |
call dword ptr [004011A4h] |
test eax, eax |
je 00007F45A86E900Bh |
mov esi, eax |
call 00007F45A86F01A3h |
jmp 00007F45A86E9004h |
xor eax, eax |
pop esi |
leave |
retn 0008h |
push ebp |
mov ebp, esp |
push ecx |
push ecx |
mov eax, dword ptr [0041A2A4h] |
push ebx |
push edi |
call 00007F45A86F1519h |
xor ebx, ebx |
mov dword ptr [ebp-08h], eax |
cmp eax, ebx |
jne 00007F45A86E9009h |
xor eax, eax |
jmp 00007F45A86E90C3h |
push 00000002h |
push ebx |
push ebx |
lea eax, dword ptr [ebp+08h] |
push eax |
push edi |
push dword ptr [ebp+08h] |
mov byte ptr [ebp-01h], bl |
push FFFFFFFFh |
call dword ptr [004011F4h] |
test eax, eax |
jne 00007F45A86E9006h |
mov byte ptr [ebp-01h], 00000001h |
push esi |
mov esi, dword ptr [004011E0h] |
push ebx |
push 00000004h |
lea ecx, dword ptr [ebp+0Ch] |
push ecx |
mov ecx, dword ptr [ebp-08h] |
mov eax, 0041A290h |
sub eax, dword ptr [0041A2A4h] |
add eax, ecx |
push eax |
push edi |
call esi |
test eax, eax |
jne 00007F45A86E9005h |
inc byte ptr [ebp-01h] |
push ebx |
push 00000004h |
lea ecx, dword ptr [ebp-08h] |
push ecx |
mov ecx, dword ptr [ebp-08h] |
mov eax, 0041A2A4h |
sub eax, dword ptr [0041A2A4h] |
add eax, ecx |
push eax |
push edi |
call esi |
pop esi |
test eax, eax |
jne 00007F45A86E9005h |
inc byte ptr [ebp-01h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x1200 | 0xd20178 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x40000 | 0xf0 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x21000 | 0x4d0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.data | 0x1000 | 0x4000 | 0x4000 | False | 0.5638427734375 | data | 5.9940228845162915 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x5000 | 0x1000 | 0x1000 | False | 0.588623046875 | data | 6.193572249131582 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x6000 | 0x1b000 | 0x1b000 | False | 0.49233217592592593 | data | 5.64920698370386 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x21000 | 0x1f000 | 0x1f000 | False | 0.0011498235887096775 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.idata | 0x40000 | 0x1400 | 0x1400 | False | 0.4671875 | data | 5.092882560692016 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
DLL | Import |
---|---|
ADVAPI32.dll | RegCloseKey, CryptCreateHash, LookupPrivilegeValueW, SetNamedSecurityInfoW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateProcessAsUserW, RegQueryValueExW, CryptReleaseContext, RegCreateKeyExW, GetTokenInformation, GetSidSubAuthorityCount, OpenThreadToken, CryptAcquireContextW, GetSidSubAuthority, OpenProcessToken, CryptGetHashParam, RegEnumKeyExW, RegOpenKeyExW, GetLengthSid, IsWellKnownSid, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, ConvertSidToStringSidW, RegSetValueExW, CryptHashData, EqualSid, InitiateSystemShutdownExW, ConvertStringSecurityDescriptorToSecurityDescriptorW |
CRYPT32.dll | CertDeleteCRLFromStore, CertCloseStore, PFXImportCertStore, CertEnumCertificatesInStore, CertDuplicateCRLContext, PFXExportCertStoreEx, CertOpenSystemStoreW |
KERNEL32.dll | CreateProcessW, HeapAlloc, SystemTimeToFileTime, SetFilePointerEx, HeapFree, CreateDirectoryW, GetComputerNameW, GetTickCount, GetCurrentThread, GetProcessHeap, IsBadReadPtr, SetFileTime, VirtualQueryEx, WriteFile, OpenProcess, Thread32First, WideCharToMultiByte, ReadProcessMemory, GetVersionExW, HeapDestroy, HeapCreate, GetFileAttributesW, Thread32Next, ReadFile, GetTimeZoneInformation, CreateFileW, MultiByteToWideChar, FlushFileBuffers, GetTempPathW, GetFileSizeEx, FreeLibrary, GetEnvironmentVariableW, SetLastError, VirtualProtectEx, VirtualAllocEx, FindClose, LoadLibraryA, RemoveDirectoryW, FindNextFileW, VirtualProtect, CreateToolhelp32Snapshot, GetFileTime, ReleaseMutex, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, GetSystemTime, SetFileAttributesW, CreateThread, CreateRemoteThread, Process32FirstW, Process32NextW, lstrcmpi, WTSGetActiveConsoleSessionId, SetThreadPriority, GetLocalTime, GlobalLock, GlobalUnlock, ResetEvent, MoveFileExW, GetUserDefaultUILanguage, SetEndOfFile, GetNativeSystemInfo, FindFirstFileW, CreateMutexW, HeapReAlloc, GetTempFileNameW, OpenMutexW, FileTimeToDosDateTime, GetProcessId, EnterCriticalSection, VirtualAlloc, LeaveCriticalSection, InitializeCriticalSection, SetThreadContext, GetThreadContext, ExpandEnvironmentStringsW, GetPrivateProfileIntW, GetPrivateProfileStringW, WriteProcessMemory, LocalFree, GetCurrentProcessId, CloseHandle, ExitProcess, DuplicateHandle, OpenEventW, GetFileAttributesExW, lstrcmpiW, WaitForMultipleObjects, CreateEventW, GetProcAddress, GetModuleFileNameW, Sleep, VirtualFreeEx, VirtualFree, GetModuleHandleW, SetEvent, WaitForSingleObject, SetErrorMode, GetCommandLineW, GetLastError |
NETAPI32.dll | NetUserEnum, NetApiBufferFree, NetUserGetInfo |
OLEAUT32.dll | VariantInit, VariantClear, SysAllocString, SysFreeString |
SHELL32.dll | CommandLineToArgvW, SHGetFolderPathW, ShellExecuteW |
SHLWAPI.dll | wvnsprintfW, PathIsDirectoryW, PathFindFileNameW, PathAddBackslashW, SHDeleteValueW, PathSkipRootW, SHDeleteKeyW, PathRemoveBackslashW, UrlUnescapeA, PathRenameExtensionW, PathMatchSpecW, StrCmpNIA, wvnsprintfA, PathUnquoteSpacesW, PathQuoteSpacesW, PathIsURLW, StrStrIW, PathRemoveFileSpecW, PathAddExtensionW, StrStrIA, PathCombineW, StrCmpNIW |
Secur32.dll | GetUserNameExW |
USER32.dll | DrawIcon, LoadImageW, CharLowerBuffA, CharLowerW, ToUnicode, GetClipboardData, GetKeyboardState, ExitWindowsEx, GetIconInfo, DispatchMessageW, CharUpperW, PeekMessageW, CharLowerA, TranslateMessage, CharToOemW, MsgWaitForMultipleObjects, GetCursorPos |
WININET.dll | InternetCrackUrlA, HttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, HttpSendRequestW, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpSendRequestExA, HttpAddRequestHeadersA, InternetQueryOptionA, InternetCloseHandle, InternetOpenA, HttpSendRequestA, HttpOpenRequestA, InternetSetOptionA, InternetReadFile, InternetConnectA, HttpQueryInfoA |
WS2_32.dll | WSASetLastError, closesocket, FreeAddrInfoW, listen, socket, recv, sendto, WSASend, WSAEventSelect, getpeername, WSAIoctl, connect, WSAAddressToStringW, WSAStartup, recvfrom, getaddrinfo, select, WSAGetLastError, getsockname, shutdown, setsockopt, send, accept, bind |
ole32.dll | StringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx |
Click to jump to process
Target ID: | 0 |
Start time: | 03:54:22 |
Start date: | 27/08/2022 |
Path: | C:\Users\user\Desktop\OatAFVzm15.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 267264 bytes |
MD5 hash: | B741DAECA2EDB8D539BE2938E5F9490F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 3 |
Start time: | 03:54:24 |
Start date: | 27/08/2022 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1170000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |