Windows
Analysis Report
invoice.exe
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64native
- invoice.exe (PID: 4636 cmdline:
C:\Users\u ser\Deskto p\invoice. exe MD5: F111934675C34CCA18D9D76FC34A2E40) - CasPol.exe (PID: 1520 cmdline:
C:\Users\u ser\Deskto p\invoice. exe MD5: 914F728C04D3EDDD5FBA59420E74E56B) - conhost.exe (PID: 2356 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - WerFault.exe (PID: 4620 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 1 520 -s 254 4 MD5: 40A149513D721F096DDF50C04DA2F01F)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Timestamp: | 192.168.11.20193.122.130.049842802039190 03/17/23-14:34:28.679795 |
SID: | 2039190 |
Source Port: | 49842 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | Snort IDS: |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: |
Source: | File created: | Jump to dropped file |
System Summary |
---|
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process Stats: |
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Window detected: |
Source: | File opened: |
Source: | Key opened: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Code function: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Binary or memory string: |
Source: | Last function: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | API call chain: | ||
Source: | API call chain: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Process token adjusted: |
Source: | Code function: |
Source: | Memory allocated: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: |
Source: | Process created: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | Key opened: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | OS Credential Dumping | 211 Security Software Discovery | Remote Services | 1 Email Collection | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 111 Process Injection | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 DLL Side-Loading | 1 Disable or Modify Tools | Security Account Manager | 1 System Network Configuration Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | Automated Exfiltration | 2 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Access Token Manipulation | NTDS | 3 File and Directory Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 13 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 111 Process Injection | LSA Secrets | 15 System Information Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 2 Obfuscated Files or Information | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
28% | Virustotal | Browse | ||
36% | ReversingLabs | Win32.Trojan.Tnega |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
2% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1223491 | Download File | ||
100% | Avira | HEUR/AGEN.1223491 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
drive.google.com | 142.250.184.206 | true | false | high | |
googlehosted.l.googleusercontent.com | 142.250.186.33 | true | false | high | |
checkip.dyndns.com | 193.122.130.0 | true | true |
| unknown |
checkip.dyndns.org | unknown | unknown | true |
| unknown |
doc-0k-a8-docs.googleusercontent.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
193.122.130.0 | checkip.dyndns.com | United States | 31898 | ORACLE-BMC-31898US | true | |
142.250.184.206 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
142.250.186.33 | googlehosted.l.googleusercontent.com | United States | 15169 | GOOGLEUS | false |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 828743 |
Start date and time: | 2023-03-17 14:30:04 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 11m 58s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | invoice.exe |
Detection: | MAL |
Classification: | mal88.troj.spyw.evad.winEXE@5/19@3/3 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
- TCP Packets have been reduced to 100
- Excluded IPs from analysis (whitelisted): 20.42.73.29
- Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, wdcp.microsoft.com
- Execution Graph export aborted for target CasPol.exe, PID 1520 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_caspol.exe_d8eda6a1754a151dd5173ca6db3e65435df63db_ea830a9b_04bcfbd1-2c77-4702-aba0-8ccec9d684fc\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.2413258792200002 |
Encrypted: | false |
SSDEEP: | 192:lMbr9vYxYmBUWSaX+AMWVM+Du760fAIO8h:KFYHBUWSaOaq+Du760fAIO8h |
MD5: | AA43B8BBA15A813BFCCD02E862007CD8 |
SHA1: | 8250B873BAC21F5986212B2451B512E48B4349D5 |
SHA-256: | 2D416E1A3C441D6B7DCF6EF0F287F15ED46DCEF848C32BEB31D02196D402DB63 |
SHA-512: | 159EAE789D7948F7077A9761DCEB26AC5A66D646CA0E183AEF6B3DA6EA00C55BECAA2CFC90A5BBC04A875F15CA86A8348895E2A8F6D83D4EAF63D41DD09E77FB |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 296706 |
Entropy (8bit): | 3.5831200793212092 |
Encrypted: | false |
SSDEEP: | 3072:QA5LTg7X74RS+qaqyO0uE04uEqW6PCLFQq:QcTgoAHaqyb04z6S |
MD5: | 7EBCA7182F74A342B0C77C9FE8DDC072 |
SHA1: | 1F7A577A9AC5731E0DD8130DDBB8B5B01D0F496E |
SHA-256: | 8D93AC888DBA63A724D6827FCEA592EE97BE5E19BFAE9131BD861813E6C644E5 |
SHA-512: | 5DFF1396A6136908905076DFD12A267B8F69CC6D52F09107AE99EEF40EA84AFAD37AC33A39A543B064CAED628E585E76919C576AB535D5B22AB2CD3311E75CFB |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8434 |
Entropy (8bit): | 3.7091201286754427 |
Encrypted: | false |
SSDEEP: | 192:R9l7lZNidI6IyHLoW6YAAo66ngmfZJCGprr89bw0sfBwm:R9lnNiC6IyroW6YAf6agmfXkwnfj |
MD5: | A6EEA52F37433165774D6A66E6B6994F |
SHA1: | 97AEC2A821BA4337326EB3BDEE28195E298F6291 |
SHA-256: | 5F4ECF6632344627BA5B494DEAB0E0E9F97E194E1F1FDC699D9985AADE578C43 |
SHA-512: | F068BFD03B06815A0677F92099A389CFCE810E184070BF8738E98F394268454DD077BA4A424488B9540E34750DE42AD5400C993401C3D862C9BDCEB290BE95B9 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4928 |
Entropy (8bit): | 4.554053374413811 |
Encrypted: | false |
SSDEEP: | 48:cvIwwtl8zsnle702I7VFJ5WS2Cfjkss3rm8M4Jd0PFr+q8vr0uvkinkd:uILfs7GySPfqJCKXvkinkd |
MD5: | 5770CD5EAA63B08F65E7E38543698591 |
SHA1: | E440A41F9A3DAE38151312126A08FA17C818B0D2 |
SHA-256: | 5D8A6CD4D2DE8A2B0B46B87FAEAB8B31E6622D0C5EF81970C9D65975B37CA94E |
SHA-512: | 5BFC69378548041A332B3E6ECDFA0A687C708BDDF0985D2694512F1967B56C86EC0BCE545567DDCF70CA98D0E113D023AEECE91538D05E5AABF64D8F5AC7453F |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\icon-ui.icns
Download File
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1245 |
Entropy (8bit): | 5.462849750105637 |
Encrypted: | false |
SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll
Download File
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 160264 |
Entropy (8bit): | 4.358279117234243 |
Encrypted: | false |
SSDEEP: | 768:EVS3TP/nITMkSXnOLeecEKVdPGeGlo1ciX9NtfoxOpGHXGHmeVDj3bRQ9pY/ycVa:EVsPQBRodPDW4zMctML/ |
MD5: | B47C741673A92A16B48140FCBDA04030 |
SHA1: | AA7A003DA656320A274F276EE4BF8C27203D1B4C |
SHA-256: | E6E775E7A5AC1BFA01B5A5CB9A7532171817408E67E346E33CA3CB091BDEA478 |
SHA-512: | 464BFC63FD715E07C02ED78F9603A1C890F3848C0D46BB7B58D352B3FF1E76612E8D772903C9954159586735567DD493A023BCFADA5E15407725F7267567DC60 |
Malicious: | false |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe
Download File
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 323584 |
Entropy (8bit): | 6.212800759462987 |
Encrypted: | false |
SSDEEP: | 3072:KW+Rs18sEZQEwgD+odVKFKLuFv1kJV0YVJL/vFU/lmJ03Hk7OJ3/b7FG66sN4IqF:j7SdPKZ1kJLLH+lmJgHeOVb7o663L |
MD5: | 86B8B1F5C1189D68B07666784BE882FE |
SHA1: | B023E9442CFC9C9652E1C8990F06DEF08BDC5B01 |
SHA-256: | 0DD8C627F3DDBDB61B1910540C465C0D62C9F8D84C7CBB6C80782DB02D535AF0 |
SHA-512: | E471BEBDD441756CD840420C862CD84EF18A03144DDCAA20D783399D0736BD012D3984E38BDDB9DF16837B205D0A6ECA4C6FEE1D41553B5002A4B1E1B753E139 |
Malicious: | false |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship\vmusbmouse.cat
Download File
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10376 |
Entropy (8bit): | 7.080841609849737 |
Encrypted: | false |
SSDEEP: | 192:pL/2EJC+EhGRmwBYyKaWFWQFV5NB0884LfqnajnWc:11PCFRVJlLWc |
MD5: | DBE99D951395F37E5C3F4164D8A22245 |
SHA1: | 238EF179549F6AEB2E3C6F4188365814A965312B |
SHA-256: | 671CB26C75AC0256B07835AE00E7018AF6126FAE7400BF21E57707E0CC9164B5 |
SHA-512: | 3A931015C1038965028AD70E439F75BA210B1113BBCD8A7C5063DA376DBB577F250BE6141B93F1CB100084A930DAD4B2205864F19F3A5E3911CD6CC0B6D0D0D8 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll
Download File
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 353768 |
Entropy (8bit): | 6.836018886719178 |
Encrypted: | false |
SSDEEP: | 6144:EpcTapyHuUcl0PUpFawtMR6gP4aHrmtcWR3uA9:MIaQ+l0PoRtW6aHrmtcWRt9 |
MD5: | B75A8E0DDEEB4330C1DBA37105244B0F |
SHA1: | E5302CA8517AC2826B5D56E3395D41C34B5B3DF7 |
SHA-256: | CC142B9D8B5223E2720C6440CB7A124C0A80D2FB04ECF59AD7331DFD6E3CB51F |
SHA-512: | 120F91A144B5B6CC9E33B232AE4466AF2E6C5F702F4C04E9A03DD4F239DE752770E4DE2C6BE2CAF3BEE9775C8887EAB9E08A896D7F2EBA1AD8CF928555CC99A3 |
Malicious: | false |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe
Download File
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 116720 |
Entropy (8bit): | 5.889271571414613 |
Encrypted: | false |
SSDEEP: | 3072:g3nqpX2I6OhctR+lCTD01Lcy4J93TnCx86:L2W1oy4J93TCT |
MD5: | DBF787BD6E5CE77FB34FF281A144EB96 |
SHA1: | 50B7799ECCA566BE35429828245D44CB04AD8885 |
SHA-256: | CCBACEEA04837229C95C08274C747ABE069279AFB990DDD89EC743C42ADC0AD9 |
SHA-512: | 07949EC3882D9CB6E2341CE60C6E911F24463B01F484C037E65A2A8F3495543A096B632E01F8480D03FF388D1E811ECF760155F97F1D5329785C506603BB18A7 |
Malicious: | false |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Stemningssvingning\Urgently.Suk
Download File
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 52812 |
Entropy (8bit): | 2.691443133069214 |
Encrypted: | false |
SSDEEP: | 768:w3MHvSSEEEE422O9Py2Ve76uBu+O3+xpnY/A8o9kxErpEEEbYRx+KmGSBAM07byk:bvS53XH/Y/A8opMr07bnr |
MD5: | 4C6FAD70762561B0D38AA152C52796A8 |
SHA1: | 9FAFD1E9CF41E5482AC7960F7F0C20AB5B703D30 |
SHA-256: | C7CC1E08C3B0850EF02E7F4371D71918B55686581FDE5D124149884EE56C8F4F |
SHA-512: | 721DC72FF2153615343BCEC4B408337E8BD5012C234237F2005C43C48D1179DEDC1606014DE6659F5A22BC9116C2348C1AD5B05BF128D60572EEAE9346E06EE0 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\SourceCodePro-ExtraLight.otf
Download File
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 127080 |
Entropy (8bit): | 7.036042013030407 |
Encrypted: | false |
SSDEEP: | 3072:Tz0LOC7z/0cS/Uz0+Gp+dtsVaHGg0IADoQg4RAxL2+p:s7z/0jUz0+GsdBHGg9cg4mvp |
MD5: | 9ECC8DF598E9EDDE1072942D344CC0CF |
SHA1: | 9FF240AB48EB7E97237E25D8C6F8CD738BA97CAA |
SHA-256: | D945E1C81A59A434E36EEDEF21E64B61CC6901A9E43936AF79C20BDBF57592B1 |
SHA-512: | 09978B7AF39B541C13F5E628BAF789E9FD1635258C74379351612451022D53B38B9F78DA7A74C19BA0FFB7B0C93B63C69EFCFC36285EFBCAF3678ADE7D423AD0 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\cs.txt
Download File
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9204 |
Entropy (8bit): | 5.371514089173945 |
Encrypted: | false |
SSDEEP: | 192:iRJ98lWxEb5BvGIrd+mc1OTno+SXhbSIm1JjSvcQpK/w:ijK0GeIrQmEOTno+SXox1JjmpKo |
MD5: | 641B90F9AEDFC68486D0D20B40F7ECA6 |
SHA1: | 0A683DD844534905336784FADD80498AFE26F6FA |
SHA-256: | 87A4B9369FD51D76C9032C0E65C3C6221659E086798829072785BE589E55B839 |
SHA-512: | 567CB9F6C31D196A171E5A9C2726A39A9B3D351AC92D4ACF8624213A68C9033ACC31AFAAAD82AA9F5359F32D3A0CA40522E151B8370D553A41ABEB6A6E097078 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\figuranternes.Han
Download File
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 218305 |
Entropy (8bit): | 7.337101777894853 |
Encrypted: | false |
SSDEEP: | 3072:PdqWTzg/gzZ9xRpRmib28JUBTE+vAsGolsJAsJ7Z/aKespGgyfZrl:HOaZ1nv9J2I+veZiKe2i |
MD5: | DF0C864AD6FE636F3AD391B04A408AC7 |
SHA1: | B0072D5406BA66EDD9F6A1A443D56378BDA688C5 |
SHA-256: | A802EB02B9345615A947C6B8B57441D7DEBD4300FFEAFC16623CE18F68CABBF2 |
SHA-512: | 2AA97CC2724CA1309B3594F552BAF227CCB7B6F73B29E612A9779D987E9FBE0E41F7CE765083AE16CD3CEC84B826A401279D69200D1AE3A0722B4E3CC731079C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 5632 |
Entropy (8bit): | 4.76010720109437 |
Encrypted: | false |
SSDEEP: | 96:HqNXqwK188CgAtXvZBkjDf0yf9ysrtWp2wol:HAqrg1XvZB6kYtWp2 |
MD5: | 88C3BA1802AEF228541820767453E058 |
SHA1: | 4F3AEFB9E4EC27CB49973CB19BD968E54A2BA676 |
SHA-256: | 2722555EC1F72523774B64D25FD4C2B460000BFE82140876D6100DC4FB1F62B1 |
SHA-512: | 718790339E13B53553AFDE6968AE10CDA7B47CBDBFC82599116C8B5B1E8FBBA259F0CE6781908BE027360132A0ABE057DF2FFA7072212ACDA96BFF535E241582 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\invoice.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11264 |
Entropy (8bit): | 5.767999234165119 |
Encrypted: | false |
SSDEEP: | 192:cPtkumJX7zBE2kGwfy9S9VkPsFQ1MZ1c:N7O2k5q9wA1MZa |
MD5: | C9473CB90D79A374B2BA6040CA16E45C |
SHA1: | AB95B54F12796DCE57210D65F05124A6ED81234A |
SHA-256: | B80A5CBA69D1853ED5979B0CA0352437BF368A5CFB86CB4528EDADD410E11352 |
SHA-512: | EAFE7D5894622BC21F663BCA4DD594392EE0F5B29270B6B56B0187093D6A3A103545464FF6398AD32D2CF15DAB79B1F133218BA9BA337DDC01330B5ADA804D7B |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2097152 |
Entropy (8bit): | 4.523815600656336 |
Encrypted: | false |
SSDEEP: | 12288:kDvK0ehODuTywB84iTd+vXlnebS23+5PfWhsYSDzFJFGl56zwlMhagmcnYJx:kATywB84iTd+vXlneGKHlMhagmcnYJx |
MD5: | 6B3E54A24A9E83963E044BE36E344CD6 |
SHA1: | FE8383F68D875A4C9E711E7878D7385C1612CCCA |
SHA-256: | D3FF0F24C8D20A5005CC564DEB0B197A5FBF1506F3F1388D50292DD118698312 |
SHA-512: | BD8821C4DE2619E9450DE73A4FAA53B13D6102CB1686DFABBB72D01B12AE96FC8918D01FD366ACC3EC139DD22DAFBDFDE98D418677656469776B9C992C4D8904 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 499712 |
Entropy (8bit): | 4.5534365820054905 |
Encrypted: | false |
SSDEEP: | 3072:HAQEODdececetnZJCy5i1T7Em0CXrnS+p2oJHrYKzOixxRvF5dlEVyi9RReloD3I:0OJJxa5ii+4yLYKzX1F/ljiteloN5 |
MD5: | 51B02C650B9F903CC6EEACB3A10D21A5 |
SHA1: | 4EA07D7465F2429B16A13D2058F8A4B25CC65AE4 |
SHA-256: | 30B4E3705D8FAC7230A89C328F433F7EEC2FA552181EE91AB39F4B13A7ED70ED |
SHA-512: | 7624DD241AC2E1448014E5B603C9FDD255180E437E1A34520D8115C3B56052D24DC7FD98C4ED929D6722F71CCF1F2FC978C3344F7FABEADEA4F490B78D7B137F |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 164 |
Entropy (8bit): | 4.5750027080925975 |
Encrypted: | false |
SSDEEP: | 3:WNEDkFrA7fw3eqIusdHSdX7/fWmEdIOAlwV6EwqQLWFBaaafFa/Rv/naaaaqBcn:WsTbtyxkKO+dZWF7afFoRHRaaqBc |
MD5: | 8D14AB4128F9BFE3E4F5F9B160BBFFE7 |
SHA1: | 7EA846DF04D4120A819DB47723C716BF2610E5CD |
SHA-256: | 91D7EA682DB129FD33DA04168DB3BFCA08EA8B6CB0533C559E0ADC0DA5BD56E8 |
SHA-512: | BF72FC0F59202B09E92961CE6C6CF21D3BBBB22AAA6B0A6B3FFBA2392362BF30A6B874A6CBBF6D11F06975CDDDBDB247053222D34D4F24055E50C0AFC9802E65 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.953363965326294 |
TrID: |
|
File name: | invoice.exe |
File size: | 861416 |
MD5: | f111934675c34cca18d9d76fc34a2e40 |
SHA1: | 6c54e0fbae03df56fee84195f3deb4d2ebd8d8c1 |
SHA256: | c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2 |
SHA512: | 48b825550b320ebfcccc4260e359ffedad7675913ee7e7a62bd62a3839fd20c8f7cafb9a6e6bb8d7d8a2164674019b696c8851362c0a6b69f4dde8b1da3dc84c |
SSDEEP: | 12288:cJAEzBf4FZZmubGJ6vVZgj9Zp4RVkdXALai8ZpP7MxhGmeLJfRriFm4gCb5vr:cJBf4guba6voj9mOdXALN8bP7MxhVP5 |
TLSH: | 090523919D24D01ACFCB1A32C6E0AAF51FA93D1DF546350FAB103DDE7AB3016992E1D8 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...2.uY.................d...|..... |
Icon Hash: | 185d7c3f1d094720 |
Entrypoint: | 0x4031f1 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x59759532 [Mon Jul 24 06:35:30 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 3abe302b6d9a1256e6a915429af4ffd2 |
Signature Valid: | false |
Signature Issuer: | E=Levnendes@Printstnings.Gum, OU="Berlinsk Absorptively Uncatholicise ", O=Toffy, L=Parbrook, S=England, C=GB |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 56C9BA7DFEC92471D18B65DEBADFD264 |
Thumbprint SHA-1: | 791103B8F445F30749CC09454489D8932043151F |
Thumbprint SHA-256: | 12660D9C667AA56EF5F4D3C7A46C00BBF32786E1EDB7C6D1BB2EFDC10DDE5337 |
Serial: | 292387F23D7D31A4C4A61C828EB508755809B6A4 |
Instruction |
---|
sub esp, 00000184h |
push ebx |
push esi |
push edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+18h], ebx |
mov dword ptr [esp+10h], 0040A198h |
mov dword ptr [esp+20h], ebx |
mov byte ptr [esp+14h], 00000020h |
call dword ptr [004080A0h] |
call dword ptr [0040809Ch] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042F40Ch], eax |
je 00007FEA50837CA3h |
push ebx |
call 00007FEA5083AD5Ah |
cmp eax, ebx |
je 00007FEA50837C99h |
push 00000C00h |
call eax |
mov esi, 00408298h |
push esi |
call 00007FEA5083ACD6h |
push esi |
call dword ptr [00408098h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], bl |
jne 00007FEA50837C7Dh |
push 0000000Ah |
call 00007FEA5083AD2Eh |
push 00000008h |
call 00007FEA5083AD27h |
push 00000006h |
mov dword ptr [0042F404h], eax |
call 00007FEA5083AD1Bh |
cmp eax, ebx |
je 00007FEA50837CA1h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007FEA50837C99h |
or byte ptr [0042F40Fh], 00000040h |
push ebp |
call dword ptr [00408044h] |
push ebx |
call dword ptr [00408288h] |
mov dword ptr [0042F4D8h], eax |
push ebx |
lea eax, dword ptr [esp+38h] |
push 00000160h |
push eax |
push ebx |
push 00429830h |
call dword ptr [00408178h] |
push 0040A188h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8534 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x41000 | 0x219c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0xd02c0 | 0x2228 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x298 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6254 | 0x6400 | False | 0.6676171875 | data | 6.4338643172916266 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x1354 | 0x1400 | False | 0.4599609375 | data | 5.236269898436511 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x25518 | 0x600 | False | 0.4557291666666667 | data | 4.044625496015545 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x30000 | 0x11000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x41000 | 0x219c8 | 0x21a00 | False | 0.8901312732342007 | data | 7.609648735329348 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x41418 | 0x1224f | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
RT_ICON | 0x53668 | 0x6259 | PNG image data, 256 x 256, 8-bit colormap, non-interlaced | English | United States |
RT_ICON | 0x598c8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States |
RT_ICON | 0x5be70 | 0x2466 | PNG image data, 256 x 256, 4-bit colormap, non-interlaced | English | United States |
RT_ICON | 0x5e2d8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States |
RT_ICON | 0x5f380 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304 | English | United States |
RT_ICON | 0x60228 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024 | English | United States |
RT_ICON | 0x60ad0 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States |
RT_ICON | 0x61138 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256 | English | United States |
RT_ICON | 0x616a0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States |
RT_ICON | 0x61b08 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States |
RT_ICON | 0x61df0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States |
RT_DIALOG | 0x61f18 | 0x120 | data | English | United States |
RT_DIALOG | 0x62038 | 0x11c | data | English | United States |
RT_DIALOG | 0x62158 | 0xc4 | data | English | United States |
RT_DIALOG | 0x62220 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x62280 | 0xae | data | English | United States |
RT_VERSION | 0x62330 | 0x354 | data | English | United States |
RT_MANIFEST | 0x62688 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA |
USER32.dll | ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.11.20193.122.130.049842802039190 03/17/23-14:34:28.679795 | TCP | 2039190 | ET TROJAN 404/Snake/Matiex Keylogger Style External IP Check | 49842 | 80 | 192.168.11.20 | 193.122.130.0 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2023 14:34:25.817516088 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:25.817559958 CET | 443 | 49840 | 142.250.184.206 | 192.168.11.20 |
Mar 17, 2023 14:34:25.817728996 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:25.830518007 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:25.830559969 CET | 443 | 49840 | 142.250.184.206 | 192.168.11.20 |
Mar 17, 2023 14:34:25.870882988 CET | 443 | 49840 | 142.250.184.206 | 192.168.11.20 |
Mar 17, 2023 14:34:25.871021986 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:25.871067047 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:25.872196913 CET | 443 | 49840 | 142.250.184.206 | 192.168.11.20 |
Mar 17, 2023 14:34:25.872360945 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:25.945143938 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:25.945188046 CET | 443 | 49840 | 142.250.184.206 | 192.168.11.20 |
Mar 17, 2023 14:34:25.945667982 CET | 443 | 49840 | 142.250.184.206 | 192.168.11.20 |
Mar 17, 2023 14:34:25.945909977 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:25.950752974 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:25.992337942 CET | 443 | 49840 | 142.250.184.206 | 192.168.11.20 |
Mar 17, 2023 14:34:26.441880941 CET | 443 | 49840 | 142.250.184.206 | 192.168.11.20 |
Mar 17, 2023 14:34:26.442033052 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:26.442121029 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:26.442156076 CET | 443 | 49840 | 142.250.184.206 | 192.168.11.20 |
Mar 17, 2023 14:34:26.442212105 CET | 443 | 49840 | 142.250.184.206 | 192.168.11.20 |
Mar 17, 2023 14:34:26.442816973 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:26.442816973 CET | 49840 | 443 | 192.168.11.20 | 142.250.184.206 |
Mar 17, 2023 14:34:26.527911901 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:26.527951002 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:26.528120041 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:26.528405905 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:26.528420925 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.586244106 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.586421967 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.586488962 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.588453054 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.588624954 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.588624954 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.591826916 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.591856003 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.592645884 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.592905045 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.593214989 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.636318922 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.803666115 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.803952932 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.803965092 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.804122925 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.804511070 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.804641008 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.804688931 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.804688931 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.805387974 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.805522919 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.805593967 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.806293011 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.806519032 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.806525946 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.806628942 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.808926105 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.809103012 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.809113979 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.809334040 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.811726093 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.811872959 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.811928988 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.811933041 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.811959982 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.812011957 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.812182903 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.812731028 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.812877893 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.812890053 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.813030958 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.813043118 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.813240051 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.813616991 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.813657999 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.813822031 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.813828945 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.813977003 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.814548969 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.814713001 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.814724922 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.814933062 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.815463066 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.815520048 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.815613985 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.815628052 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.815685034 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.815767050 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.816344023 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.816478968 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.816622019 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.816634893 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.816757917 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.817270041 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.817449093 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.817460060 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.817699909 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.817708015 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.817888021 CET | 49841 | 443 | 192.168.11.20 | 142.250.186.33 |
Mar 17, 2023 14:34:27.818191051 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Mar 17, 2023 14:34:27.818242073 CET | 443 | 49841 | 142.250.186.33 | 192.168.11.20 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 17, 2023 14:34:25.800806999 CET | 53317 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 17, 2023 14:34:25.810267925 CET | 53 | 53317 | 1.1.1.1 | 192.168.11.20 |
Mar 17, 2023 14:34:26.492222071 CET | 64485 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 17, 2023 14:34:26.525289059 CET | 53 | 64485 | 1.1.1.1 | 192.168.11.20 |
Mar 17, 2023 14:34:28.565037012 CET | 53811 | 53 | 192.168.11.20 | 1.1.1.1 |
Mar 17, 2023 14:34:28.573910952 CET | 53 | 53811 | 1.1.1.1 | 192.168.11.20 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 17, 2023 14:34:25.800806999 CET | 192.168.11.20 | 1.1.1.1 | 0x9c31 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:34:26.492222071 CET | 192.168.11.20 | 1.1.1.1 | 0xb9a5 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Mar 17, 2023 14:34:28.565037012 CET | 192.168.11.20 | 1.1.1.1 | 0x9827 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 17, 2023 14:34:25.810267925 CET | 1.1.1.1 | 192.168.11.20 | 0x9c31 | No error (0) | 142.250.184.206 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2023 14:34:26.525289059 CET | 1.1.1.1 | 192.168.11.20 | 0xb9a5 | No error (0) | googlehosted.l.googleusercontent.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 17, 2023 14:34:26.525289059 CET | 1.1.1.1 | 192.168.11.20 | 0xb9a5 | No error (0) | 142.250.186.33 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2023 14:34:28.573910952 CET | 1.1.1.1 | 192.168.11.20 | 0x9827 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 17, 2023 14:34:28.573910952 CET | 1.1.1.1 | 192.168.11.20 | 0x9827 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2023 14:34:28.573910952 CET | 1.1.1.1 | 192.168.11.20 | 0x9827 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2023 14:34:28.573910952 CET | 1.1.1.1 | 192.168.11.20 | 0x9827 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2023 14:34:28.573910952 CET | 1.1.1.1 | 192.168.11.20 | 0x9827 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
Mar 17, 2023 14:34:28.573910952 CET | 1.1.1.1 | 192.168.11.20 | 0x9827 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false |
|
Click to jump to process
Target ID: | 1 |
Start time: | 14:32:12 |
Start date: | 17/03/2023 |
Path: | C:\Users\user\Desktop\invoice.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 861416 bytes |
MD5 hash: | F111934675C34CCA18D9D76FC34A2E40 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 5 |
Start time: | 14:34:15 |
Start date: | 17/03/2023 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb20000 |
File size: | 108664 bytes |
MD5 hash: | 914F728C04D3EDDD5FBA59420E74E56B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | high |
Target ID: | 6 |
Start time: | 14:34:15 |
Start date: | 17/03/2023 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d18e0000 |
File size: | 875008 bytes |
MD5 hash: | 81CA40085FC75BABD2C91D18AA9FFA68 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 9 |
Start time: | 14:34:34 |
Start date: | 17/03/2023 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3f0000 |
File size: | 482640 bytes |
MD5 hash: | 40A149513D721F096DDF50C04DA2F01F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | moderate |