Windows
Analysis Report
OatAFVzm15.exe
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- OatAFVzm15.exe (PID: 772 cmdline:
"C:\Users\ user\Deskt op\OatAFVz m15.exe" MD5: B741DAECA2EDB8D539BE2938E5F9490F) - WerFault.exe (PID: 6092 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 72 -s 212 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Citadel | Yara detected Citadel | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security | ||
JoeSecurity_Citadel | Yara detected Citadel | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Process created: |
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | File created: | Jump to behavior |
Source: | Key opened: |
Source: | Classification label: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Binary or memory string: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Software Packing | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
57% | Metadefender | Browse | ||
92% | ReversingLabs | Win32.Trojan.Zeus | ||
100% | Avira | TR/Spy.Gen | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Spy.Gen | Download File | ||
100% | Avira | TR/Spy.Gen | Download File | ||
100% | Avira | TR/Spy.Gen | Download File | ||
100% | Avira | TR/Spy.Gen | Download File |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high |
Joe Sandbox Version: | 35.0.0 Citrine |
Analysis ID: | 691234 |
Start date and time: | 2022-08-27 03:58:55 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 38s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | OatAFVzm15.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.bank.winEXE@2/4@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 20.42.73.29
- Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, login.live.com, eudb.ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: OatAFVzm15.exe
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OatAFVzm15.exe_a26318744316683b0d1fe53934c2b47109f797_532d33bc_179a95d5\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.8477355130975469 |
Encrypted: | false |
SSDEEP: | 96:0FOFfc6hFNhM1Dg3f6UpXIQcQzc6CmcE1cw3CH+HbHg/opAnQ0DF16Fawn9TxifT:049Lh8iHNXfnjJ/u7suS274It0i |
MD5: | 67ED49590B71E87BC8AEF7FED35BEDA5 |
SHA1: | 17943598405BF7ADEE1A6D940C728B98C7CFFEF5 |
SHA-256: | FFE956B2D85E2C8FABFB8AC382C63DB6D2F283BF7366439F1CE9D7FDD58AB76D |
SHA-512: | F8A9380C2DFFDB7691CE32EDDE652318D89DD76BA2B1D760B512B0B1F4B628C8CEAF71CC9962F975CE13A6EA13F7C5B46557FC4D4BC8CC61114E1FFF3ECBA0AF |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 34716 |
Entropy (8bit): | 2.202131923820371 |
Encrypted: | false |
SSDEEP: | 192:ZkBBj9VBsiv0O65OsdSN591U03PjKHyl6DBQCW:aJVBsQ6rY5jKxBXW |
MD5: | 45472289EA981225005104219636EC68 |
SHA1: | 28675A39F6405261955670E64A2092D0699D6B9D |
SHA-256: | 038786401FD022238B42FA9231B7CF4682E150676FF567A892B3CCACF5DA4962 |
SHA-512: | 387D498F6D8B904849EFF2F28384BA4312A69C975EE5DC45C562F7525BC0C6C7046802541174239E7E5B9E90C0DFE935FD9537C8F2BEE511B00F16463C4B680E |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8284 |
Entropy (8bit): | 3.6967453155481205 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNija6F6YqbSUMLrgmf2QjS3OzCpxT89bESsfiGsm:RrlsNie6F6YWSUMngmf2QjS3O9ERfd |
MD5: | 66631305A7D025E8E6DE30003254E753 |
SHA1: | 9BA48BE6C3EA2D67A691F793850901C59A5ACE21 |
SHA-256: | FEA2674FE4A504EFE873738BA4433B61BE9211955148464134B824873AC01B2F |
SHA-512: | 09864257CB92A302C4132094C61BDC5E61AEAAE7ECA427376421A8E795CA8DAA3967F25DB06F28D8026325291DA6BA97A52FE9A122004573821D330035825504 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4567 |
Entropy (8bit): | 4.4595943412768975 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsdJgtWI90SWgc8sqYjf8fm8M4JPlF/c+q8vA2pjusNVMlOd:uITf3PzgrsqYYJsPgju2VMlOd |
MD5: | 2E9D1069FB8B86985BBC56341C8458B5 |
SHA1: | 46C27DD82AA8C2F31EC1BBB149B8D576EA54CA6C |
SHA-256: | 1B4B6082E07DF792F627F9E3E1025B99278F6AB0842669BC1D4CB390FA1ACB96 |
SHA-512: | 2F40A7A399B517D5C9F94BCFB600AED642E1D7346F67AF65D44E47B0800FCA9D21B288D46B8069C499D7B20CF1599B0A1DDD9E05415699EAA65FECB5FA06A911 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 3.4408516130120472 |
TrID: |
|
File name: | OatAFVzm15.exe |
File size: | 267264 |
MD5: | b741daeca2edb8d539be2938e5f9490f |
SHA1: | 4affabf1f09e55a1777fedbe83fc26905943045c |
SHA256: | c688c3da0b3fe263e2441f884d47966bb74875c94564e7694aa1c462e5c9435f |
SHA512: | f43fac8e1ab37c70c6633cd558fd9d164fea51cd1835086cdaf42aff60d2b444626b609d4af5f627953913bcf6fc4a0dd1bb39737dc0e23b1bd3bd61930edd20 |
SSDEEP: | 3072:E/DD2zNc31I3tgt89I51ceYaQHK3HEEooVj9k:E/hCdgtR569aQuHEcVj9 |
TLSH: | 6844BF5BB98184B7D5BA3B709DA8B23663FF8D24242DCD87E7580D993831861F22D307 |
File Content Preview: | MZ......................@...............................................................................................................................................................................................................................PE..L.. |
Icon Hash: | 00828e8e8686b000 |
Entrypoint: | 0x403ee5 |
Entrypoint Section: | .data |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x408FF235 [Wed Apr 28 18:04:37 2004 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 7 |
OS Version Minor: | 2 |
File Version Major: | 7 |
File Version Minor: | 2 |
Subsystem Version Major: | 7 |
Subsystem Version Minor: | 2 |
Import Hash: | f3b6157e0baac9b50d25d58c877c29ad |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 6Ch |
push esi |
push dword ptr [ebp+0Ch] |
lea eax, dword ptr [ebp-68h] |
push eax |
push dword ptr [ebp+08h] |
call 00007F36E0770AC7h |
lea eax, dword ptr [ebp-68h] |
push eax |
push 00000000h |
push 0041A2CCh |
call dword ptr [004011A4h] |
test eax, eax |
je 00007F36E0770B1Bh |
mov esi, eax |
call 00007F36E0777CB3h |
jmp 00007F36E0770B14h |
xor eax, eax |
pop esi |
leave |
retn 0008h |
push ebp |
mov ebp, esp |
push ecx |
push ecx |
mov eax, dword ptr [0041A2A4h] |
push ebx |
push edi |
call 00007F36E0779029h |
xor ebx, ebx |
mov dword ptr [ebp-08h], eax |
cmp eax, ebx |
jne 00007F36E0770B19h |
xor eax, eax |
jmp 00007F36E0770BD3h |
push 00000002h |
push ebx |
push ebx |
lea eax, dword ptr [ebp+08h] |
push eax |
push edi |
push dword ptr [ebp+08h] |
mov byte ptr [ebp-01h], bl |
push FFFFFFFFh |
call dword ptr [004011F4h] |
test eax, eax |
jne 00007F36E0770B16h |
mov byte ptr [ebp-01h], 00000001h |
push esi |
mov esi, dword ptr [004011E0h] |
push ebx |
push 00000004h |
lea ecx, dword ptr [ebp+0Ch] |
push ecx |
mov ecx, dword ptr [ebp-08h] |
mov eax, 0041A290h |
sub eax, dword ptr [0041A2A4h] |
add eax, ecx |
push eax |
push edi |
call esi |
test eax, eax |
jne 00007F36E0770B15h |
inc byte ptr [ebp-01h] |
push ebx |
push 00000004h |
lea ecx, dword ptr [ebp-08h] |
push ecx |
mov ecx, dword ptr [ebp-08h] |
mov eax, 0041A2A4h |
sub eax, dword ptr [0041A2A4h] |
add eax, ecx |
push eax |
push edi |
call esi |
pop esi |
test eax, eax |
jne 00007F36E0770B15h |
inc byte ptr [ebp-01h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x1200 | 0xd20178 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x40000 | 0xf0 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x21000 | 0x4d0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.data | 0x1000 | 0x4000 | 0x4000 | False | 0.5638427734375 | data | 5.9940228845162915 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x5000 | 0x1000 | 0x1000 | False | 0.588623046875 | data | 6.193572249131582 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x6000 | 0x1b000 | 0x1b000 | False | 0.49233217592592593 | data | 5.64920698370386 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x21000 | 0x1f000 | 0x1f000 | False | 0.0011498235887096775 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.idata | 0x40000 | 0x1400 | 0x1400 | False | 0.4671875 | data | 5.092882560692016 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
DLL | Import |
---|---|
ADVAPI32.dll | RegCloseKey, CryptCreateHash, LookupPrivilegeValueW, SetNamedSecurityInfoW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateProcessAsUserW, RegQueryValueExW, CryptReleaseContext, RegCreateKeyExW, GetTokenInformation, GetSidSubAuthorityCount, OpenThreadToken, CryptAcquireContextW, GetSidSubAuthority, OpenProcessToken, CryptGetHashParam, RegEnumKeyExW, RegOpenKeyExW, GetLengthSid, IsWellKnownSid, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, CryptDestroyHash, AdjustTokenPrivileges, ConvertSidToStringSidW, RegSetValueExW, CryptHashData, EqualSid, InitiateSystemShutdownExW, ConvertStringSecurityDescriptorToSecurityDescriptorW |
CRYPT32.dll | CertDeleteCRLFromStore, CertCloseStore, PFXImportCertStore, CertEnumCertificatesInStore, CertDuplicateCRLContext, PFXExportCertStoreEx, CertOpenSystemStoreW |
KERNEL32.dll | CreateProcessW, HeapAlloc, SystemTimeToFileTime, SetFilePointerEx, HeapFree, CreateDirectoryW, GetComputerNameW, GetTickCount, GetCurrentThread, GetProcessHeap, IsBadReadPtr, SetFileTime, VirtualQueryEx, WriteFile, OpenProcess, Thread32First, WideCharToMultiByte, ReadProcessMemory, GetVersionExW, HeapDestroy, HeapCreate, GetFileAttributesW, Thread32Next, ReadFile, GetTimeZoneInformation, CreateFileW, MultiByteToWideChar, FlushFileBuffers, GetTempPathW, GetFileSizeEx, FreeLibrary, GetEnvironmentVariableW, SetLastError, VirtualProtectEx, VirtualAllocEx, FindClose, LoadLibraryA, RemoveDirectoryW, FindNextFileW, VirtualProtect, CreateToolhelp32Snapshot, GetFileTime, ReleaseMutex, FileTimeToLocalFileTime, GetVolumeNameForVolumeMountPointW, DeleteFileW, GetFileInformationByHandle, GetSystemTime, SetFileAttributesW, CreateThread, CreateRemoteThread, Process32FirstW, Process32NextW, lstrcmpi, WTSGetActiveConsoleSessionId, SetThreadPriority, GetLocalTime, GlobalLock, GlobalUnlock, ResetEvent, MoveFileExW, GetUserDefaultUILanguage, SetEndOfFile, GetNativeSystemInfo, FindFirstFileW, CreateMutexW, HeapReAlloc, GetTempFileNameW, OpenMutexW, FileTimeToDosDateTime, GetProcessId, EnterCriticalSection, VirtualAlloc, LeaveCriticalSection, InitializeCriticalSection, SetThreadContext, GetThreadContext, ExpandEnvironmentStringsW, GetPrivateProfileIntW, GetPrivateProfileStringW, WriteProcessMemory, LocalFree, GetCurrentProcessId, CloseHandle, ExitProcess, DuplicateHandle, OpenEventW, GetFileAttributesExW, lstrcmpiW, WaitForMultipleObjects, CreateEventW, GetProcAddress, GetModuleFileNameW, Sleep, VirtualFreeEx, VirtualFree, GetModuleHandleW, SetEvent, WaitForSingleObject, SetErrorMode, GetCommandLineW, GetLastError |
NETAPI32.dll | NetUserEnum, NetApiBufferFree, NetUserGetInfo |
OLEAUT32.dll | VariantInit, VariantClear, SysAllocString, SysFreeString |
SHELL32.dll | CommandLineToArgvW, SHGetFolderPathW, ShellExecuteW |
SHLWAPI.dll | wvnsprintfW, PathIsDirectoryW, PathFindFileNameW, PathAddBackslashW, SHDeleteValueW, PathSkipRootW, SHDeleteKeyW, PathRemoveBackslashW, UrlUnescapeA, PathRenameExtensionW, PathMatchSpecW, StrCmpNIA, wvnsprintfA, PathUnquoteSpacesW, PathQuoteSpacesW, PathIsURLW, StrStrIW, PathRemoveFileSpecW, PathAddExtensionW, StrStrIA, PathCombineW, StrCmpNIW |
Secur32.dll | GetUserNameExW |
USER32.dll | DrawIcon, LoadImageW, CharLowerBuffA, CharLowerW, ToUnicode, GetClipboardData, GetKeyboardState, ExitWindowsEx, GetIconInfo, DispatchMessageW, CharUpperW, PeekMessageW, CharLowerA, TranslateMessage, CharToOemW, MsgWaitForMultipleObjects, GetCursorPos |
WININET.dll | InternetCrackUrlA, HttpAddRequestHeadersW, InternetSetStatusCallbackW, GetUrlCacheEntryInfoW, HttpSendRequestW, InternetReadFileExA, InternetQueryDataAvailable, HttpSendRequestExW, HttpSendRequestExA, HttpAddRequestHeadersA, InternetQueryOptionA, InternetCloseHandle, InternetOpenA, HttpSendRequestA, HttpOpenRequestA, InternetSetOptionA, InternetReadFile, InternetConnectA, HttpQueryInfoA |
WS2_32.dll | WSASetLastError, closesocket, FreeAddrInfoW, listen, socket, recv, sendto, WSASend, WSAEventSelect, getpeername, WSAIoctl, connect, WSAAddressToStringW, WSAStartup, recvfrom, getaddrinfo, select, WSAGetLastError, getsockname, shutdown, setsockopt, send, accept, bind |
ole32.dll | StringFromGUID2, CLSIDFromString, CoUninitialize, CoCreateInstance, CoInitializeEx |
Click to jump to process
Target ID: | 1 |
Start time: | 03:59:48 |
Start date: | 27/08/2022 |
Path: | C:\Users\user\Desktop\OatAFVzm15.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 267264 bytes |
MD5 hash: | B741DAECA2EDB8D539BE2938E5F9490F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 3 |
Start time: | 03:59:50 |
Start date: | 27/08/2022 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xcb0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |