Edit tour
Windows
Analysis Report
WlCIinu0yp.exe
Overview
General Information
Sample name: | WlCIinu0yp.exerenamed because original name is a hash value |
Original sample name: | 28d853922cf07f58ea8f4a81492120ae.exe |
Analysis ID: | 1434501 |
MD5: | 28d853922cf07f58ea8f4a81492120ae |
SHA1: | e957c503b201179bc7901256bf37ff292705e805 |
SHA256: | e62b73e7f0b73dcdcf303dcd3f587a54a684d0ab4c0dd1e90b3a8b39502a9a38 |
Tags: | exe |
Infos: | |
Detection
LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Socks5Systemz
Yara detected Vidar stealer
Yara detected zgRAT
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Windows Defender Exclusions Added - Registry
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- WlCIinu0yp.exe (PID: 2044 cmdline:
"C:\Users\ user\Deskt op\WlCIinu 0yp.exe" MD5: 28D853922CF07F58EA8F4A81492120AE) - hvkESMr10WtP7_E6btIJmDx0.exe (PID: 7700 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\hvkE SMr10WtP7_ E6btIJmDx0 .exe MD5: 15CADD15B0A9AAA2FD551DA56D8941F6) - pRIMqfuwRZ49ldgjUZ_z2py6.exe (PID: 7712 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\pRIM qfuwRZ49ld gjUZ_z2py6 .exe MD5: 0663ACC77B47A56BBE20976B47BADAD9) - ydYqwUL3GNS6IHkMgIteny78.exe (PID: 7720 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\ydYq wUL3GNS6IH kMgIteny78 .exe MD5: 50C2351D515F9EA10496E4E33401BD2F) - q9Sc3pS9TsI8vZtTlbAuGG_b.exe (PID: 7728 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\q9Sc 3pS9TsI8vZ tTlbAuGG_b .exe MD5: 82F1E8F10DE3D6D0D4ADE8E67E2C71E5) - Install.exe (PID: 8132 cmdline:
.\Install. exe MD5: D4DFFA430BC20AC68EBAA9BF88AE3AAA) - Install.exe (PID: 4960 cmdline:
.\Install. exe /vHllW didbTpr "5 25403" /S MD5: 9C70CCCDF767C68A089EC2C3F836AE6E) - cX55WveNgznoE8Y_EKeykvl8.exe (PID: 7736 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\cX55 WveNgznoE8 Y_EKeykvl8 .exe MD5: 62C4D21B21D542F5E9D7697607BE2D9B) - ZzpT5hwyVjlAXfLjB1r1iwOX.exe (PID: 7744 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\ZzpT 5hwyVjlAXf LjB1r1iwOX .exe MD5: 0E076AD1FAD2D7B0F328273A5EC203A4) - schtasks.exe (PID: 7380 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MPGPH131\ MPGPH131.e xe" /tn "M PGPH131 HR " /sc HOUR LY /rl HIG HEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 6040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7576 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MPGPH131\ MPGPH131.e xe" /tn "M PGPH131 LG " /sc ONLO GON /rl HI GHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 2212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - lmmycYk2THJ6kqlicmdyWtVT.exe (PID: 7752 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\lmmy cYk2THJ6kq licmdyWtVT .exe MD5: 6A923E65041F43E9BEF4D54BFE1494EA) - cmd.exe (PID: 8148 cmdline:
"C:\Window s\System32 \cmd.exe" /k move Gu ests Guest s.cmd & Gu ests.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8160 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - njeL_S54LMD1B6b6sdXBUgG6.exe (PID: 7760 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\njeL _S54LMD1B6 b6sdXBUgG6 .exe MD5: DC80E716AA4E8A5F9C700DFF8BE2164D) - 0kNDw1qtthM70owdcV01L1ro.exe (PID: 7768 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\0kND w1qtthM70o wdcV01L1ro .exe MD5: E6305F7BCA884A8D1BBE0557B0788440) - H14SDf_AWcPvvQK5Xx97sISX.exe (PID: 7776 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\H14S Df_AWcPvvQ K5Xx97sISX .exe MD5: F2C22D5E309269E4634376930D28F043) - ifM1E2HUtOYe96efnF4a_sDH.exe (PID: 7792 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\ifM1 E2HUtOYe96 efnF4a_sDH .exe MD5: 2019322EA56C5B80294770F6018BDDC1) - schtasks.exe (PID: 7492 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \WinTracke rSP\WinTra ckerSP.exe " /tn "Win TrackerSP HR" /sc HO URLY /rl H IGHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 5328 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 3544 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \WinTracke rSP\WinTra ckerSP.exe " /tn "Win TrackerSP LG" /sc ON LOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FCK5Px_iTbBaGQTFBpzZeks2.exe (PID: 7784 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\FCK5 Px_iTbBaGQ TFBpzZeks2 .exe MD5: 6BFB66577B9B4B80C43405D18518A8CD) - FCK5Px_iTbBaGQTFBpzZeks2.tmp (PID: 8108 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-F9R OM.tmp\FCK 5Px_iTbBaG QTFBpzZeks 2.tmp" /SL 5="$402F6, 4891798,54 272,C:\Use rs\user\Do cuments\Si mpleAdobe\ FCK5Px_iTb BaGQTFBpzZ eks2.exe" MD5: D345EE98D490FBC258E1721F7E62FC5D) - softjenimmp3converter.exe (PID: 7560 cmdline:
"C:\Users\ user\AppDa ta\Local\S oft Jenim MP3 Conver ter\softje nimmp3conv erter.exe" -i MD5: 728334B3989724176F27EB39D2CE8D4B) - softjenimmp3converter.exe (PID: 3992 cmdline:
"C:\Users\ user\AppDa ta\Local\S oft Jenim MP3 Conver ter\softje nimmp3conv erter.exe" -s MD5: 728334B3989724176F27EB39D2CE8D4B) - wDFs1SzoVQiT2__nQmbIm6Rg.exe (PID: 7800 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\wDFs 1SzoVQiT2_ _nQmbIm6Rg .exe MD5: 775AF421A2E7CC4D2CDB81142168F9C8) - RegAsm.exe (PID: 8008 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - 0aUjr05rR32eKJo8dvN8X8hr.exe (PID: 7808 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\0aUj r05rR32eKJ o8dvN8X8hr .exe MD5: B091C4848287BE6601D720997394D453) - powercfg.exe (PID: 2004 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 7268 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7284 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 2504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 6636 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 4504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 6524 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 6084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 5428 cmdline:
C:\Windows \system32\ sc.exe del ete "OBGPQ MHF" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7692 cmdline:
C:\Windows \system32\ sc.exe cre ate "OBGPQ MHF" binpa th= "C:\Pr ogramData\ ndfbaljqaq zm\dckuyba nmlgp.exe" start= "a uto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7632 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - 9RJ0JeM9uj2rfsuq_woBmmIY.exe (PID: 7816 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\9RJ0 JeM9uj2rfs uq_woBmmIY .exe MD5: 6AAE5AD15E0EE9DA87AB30971373A029) - RegAsm.exe (PID: 8000 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - rYuCm9r3mZzk_0VrthAnPu8c.exe (PID: 7824 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\rYuC m9r3mZzk_0 VrthAnPu8c .exe MD5: 5B552D51D03B0F0FA294120593BDF26B)
- svchost.exe (PID: 2144 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 3484 cmdline:
C:\Windows \System32\ svchost.ex e -k NetSv cs -p -s N caSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 1004 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -s WPD BusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
{"C2 list": ["cskuxgp.net"]}
{"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "03cea2609023d13f145ac6c5dc897112", "Version": "9.3"}
{"C2 url": ["5.42.65.96:28380"], "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
JoeSecurity_Socks5Systemz | Yara detected Socks5Systemz | Joe Security | ||
JoeSecurity_Socks5Systemz | Yara detected Socks5Systemz | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
Click to see the 24 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation | Detects executables containing potential Windows Defender anti-emulation checks | ditekSHen |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation | Detects executables containing potential Windows Defender anti-emulation checks | ditekSHen |
| |
Click to see the 18 entries |
Change of critical system settings |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: Christian Burkard (Nextron Systems): |
Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: |
Source: | Author: vburov: |
Timestamp: | 05/01/24-08:40:19.118735 |
SID: | 2049837 |
Source Port: | 49730 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Change of critical system settings |
---|
Source: | Registry key created or modified: | Jump to behavior | ||
Source: | Registry key created or modified: | Jump to behavior |
Source: | Code function: | 7_2_004DB1CB | |
Source: | Code function: | 7_2_0040B300 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Snort IDS: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | TCP traffic: |
Source: | File created: | ||
Source: | File created: |
Source: | DNS query: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | HTTP traffic detected: |