Analysis Report xuy1.bin
Overview
General Information |
---|
Joe Sandbox Version: | 26.0.0 |
Analysis ID: | 836034 |
Start date: | 11.04.2019 |
Start time: | 19:17:10 |
Joe Sandbox Product: | Cloud |
Overall analysis duration: | 0h 7m 50s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | xuy1.bin (renamed file extension from bin to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal68.evad.winEXE@5/1@0/4 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Whitelisted | Detection | |
---|---|---|---|---|---|---|
Threshold | 68 | 0 - 100 | Report FP / FN | false |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work |
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control |
---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Graphical User Interface1 | Winlogon Helper DLL | Process Injection111 | Software Packing1 | Credential Dumping | Process Discovery1 | Application Deployment Software | Data from Local System | Data Encrypted1 | Standard Non-Application Layer Protocol1 |
Replication Through Removable Media | Service Execution | Port Monitors | Accessibility Features | Process Injection111 | Network Sniffing | Security Software Discovery1 | Remote Services | Data from Removable Media | Exfiltration Over Other Network Medium | Standard Application Layer Protocol1 |
Drive-by Compromise | Windows Management Instrumentation | Accessibility Features | Path Interception | Obfuscated Files or Information2 | Input Capture | System Information Discovery1 | Windows Remote Management | Data from Network Shared Drive | Automated Exfiltration | Custom Cryptographic Protocol |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus or Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Antivirus or Machine Learning detection for unpacked file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Networking: |
---|
Connects to IPs without corresponding DNS lookups | Show sources |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior) | Show sources |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Uses HTTPS | Show sources |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary: |
---|
Blacklisted process start detected (Windows program) | Show sources |
Source: | Process created: |
PE file has nameless sections | Show sources |
Source: | Static PE information: |
PE file contains executable resources (Code or Archives) | Show sources |
Source: | Static PE information: |
Tries to load missing DLLs | Show sources |
Source: | Section loaded: |
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) | Show sources |
Source: | Static PE information: |
Classification label | Show sources |
Source: | Classification label: |
Creates files inside the user directory | Show sources |
Source: | File created: | Jump to behavior |
PE file has an executable .text section and no other executable section | Show sources |
Source: | Static PE information: |
Parts of this applications are using Borland Delphi (Probably coded in Delphi) | Show sources |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: | |||
Source: | Key opened: |
Reads software policies | Show sources |
Source: | Key opened: | Jump to behavior |
Runs a DLL by calling functions | Show sources |
Source: | Process created: |
Spawns processes | Show sources |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: |
Data Obfuscation: |
---|
PE file contains sections with non-standard names | Show sources |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Registers a DLL | Show sources |
Source: | Process created: |
Binary may include packed or encrypted code | Show sources |
Source: | Static PE information: |
Persistence and Installation Behavior: |
---|
Drops PE files | Show sources |
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Checks the free space of harddrives | Show sources |
Source: | File Volume queried: | ||
Source: | File Volume queried: |
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) | Show sources |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Found dropped PE file which has not been started or loaded | Show sources |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Queries a list of all running processes | Show sources |
Source: | Process information queried: |
Anti Debugging: |
---|
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: | System information queried: |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: |
Creates a process in suspended mode (likely to inject code) | Show sources |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: |
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Queries the cryptographic machine GUID | Show sources |
Source: | Key value queried: | Jump to behavior |
Behavior Graph |
---|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
19:18:14 | API Interceptor | |
19:18:14 | API Interceptor | |
19:18:15 | API Interceptor |
Antivirus and Machine Learning Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Joe Sandbox ML | Download File | |||
100% | Joe Sandbox ML | Download File | |||
100% | Joe Sandbox ML | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup |
---|
|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\xuy1.exe |
File Type: | |
Size (bytes): | 453648 |
Entropy (8bit): | 6.321533380248072 |
Encrypted: | false |
MD5: | A2E35DF6B51831044519B392E3050B6F |
SHA1: | 6FA35EA0C642B0C7954B36B27948B29EE12C9BC9 |
SHA-256: | B7AB58BD4CB1E31C1ABA4BB5B14CCF669A9D9CD9A7D8B7217CDE84548FC78EDD |
SHA-512: | 990A4952E1A409FEBB799A07BB7050B79CAD18012EE017D38571379A7FC4BDDB539D57F912D65CC87DCC3A9D64A264F94F4B4DDB96651212C958044D3ECE69BF |
Malicious: | false |
Reputation: | low |
Preview: |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|
87.18.28.52 | Italy | 3269 | ASN-IBSNAZIT | true | |
150.132.134.24 | Sweden | 158 | ERI-AS-EricssonNetworkSystemsIncUS | true | |
215.56.245.0 | United States | 721 | DNIC-ASBLK-00721-00726-DoDNetworkInformationCenterUS | true | |
174.60.72.9 | United States | 7922 | unknown | true |
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.993291537469341 |
TrID: |
|
File name: | xuy1.exe |
File size: | 952320 |
MD5: | 9977310186f3df14ee1c3d60edbb9821 |
SHA1: | 2be94450d8677cb819aa74684901bb52e1604674 |
SHA256: | 67a77942a7aa208f2a7e178de2b75e5acab6c5fd89883f691255bb9457a0ca4c |
SHA512: | b50125e0eea2e6e873a16354b30bdab8227ebfa6f25aefc3a5461bec3feb330b2b054878b70c68b31daebe47b7ae7bbc186d58e48086a502e4014a93e7c7f174 |
SSDEEP: | 24576:MWn0sX1FqSgNfscXtaJPnzKeAnjTy+RzHZ:9qfawh |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..\............................h:............@.................................K............@......................... |
File Icon |
---|
Icon Hash: | aab2e3e39383aa00 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x403a68 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x5CADA338 [Wed Apr 10 08:03:04 2019 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f7bf957f6a3c581f66fe6f6bb8756c85 |
Entrypoint Preview |
---|
Instruction |
---|
pushad |
xor ebx, ebx |
push 00002111h |
push 00008777h |
call 5D1F994Bh |
or eax, eax |
jne 5D1F9FE2h |
push 00000014h |
call 5D1F9E43h |
or eax, eax |
jne 5D1F9FD7h |
push 00000040h |
push 00001000h |
push dword ptr [ebx+004D000Ch] |
push 00000000h |
call dword ptr [ebx+004D0688h] |
mov edi, eax |
mov dword ptr [ebx+004D0024h], edi |
cmp ebx, 00000000h |
jbe 5D1F9FCEh |
add dword ptr [ebx+004D0000h], ebx |
add dword ptr [ebx+004D0030h], ebx |
mov esi, dword ptr [ebx+004D0000h] |
mov ecx, dword ptr [ebx+004D000Ch] |
rep movsb |
mov ecx, 000FFFFFh |
mov eax, dword ptr [ebx+004D0024h] |
push 00403AE9h |
pop dword ptr [ebx+004D0034h] |
and dword ptr [ebx+004D0034h], ecx |
xor eax, dword ptr [ebx+004D0034h] |
jmp eax |
push FFFF0000h |
call 5D1F9BEBh |
or ebx, ebx |
je 5D1F9FD7h |
push 00000004h |
push 00001000h |
push dword ptr [ebx+004D001Ch] |
push 00000000h |
call dword ptr [ebx+004D0688h] |
push eax |
pop dword ptr [ebx+004D0028h] |
mov dword ptr [ebx+004D0018h], 00000002h |
mov dword ptr [ebx+004D0014h], eax |
lea eax, dword ptr [ebx+004D0018h] |
push eax |
push 00000040h |
push dword ptr [ebx+0000000Ch] |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x15a000 | 0xf0 | .newIT |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x151000 | 0x83f0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xd0400 | 0x18 | .data |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x240 | 0xf4 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xd0600 | 0x1c4 | .data |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xce8d8 | 0xcea00 | False | 0.808364526618 | ump; data | 7.29911063566 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0xd0000 | 0x80d6e | 0x1400 | False | 0.418359375 | ump; data | 4.23078910028 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x151000 | 0x83f0 | 0x8400 | False | 0.5498046875 | ump; data | 6.48386562547 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.newIT | 0x15a000 | 0xf0 | 0x200 | False | 0.248046875 | ump; data | 2.09852780187 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
0x15b000 | 0x10000 | 0x10000 | False | 0.00128173828125 | ump; data | 0.0 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x151628 | 0x25a8 | ump; data | ||
RT_MENU | 0x153bd0 | 0x3fc | ump; data | ||
RT_MENU | 0x153fcc | 0x350 | ump; data | ||
RT_MENU | 0x15431c | 0x274 | ump; data | ||
RT_MENU | 0x154590 | 0x3cc | ump; data | ||
RT_MENU | 0x15495c | 0x4ca | ump; data | ||
RT_MENU | 0x154e28 | 0x312 | ump; data | ||
RT_DIALOG | 0x15513c | 0x224 | ump; data | ||
RT_DIALOG | 0x155360 | 0x5ce | ump; data | ||
RT_DIALOG | 0x155930 | 0x100 | ump; data | ||
RT_DIALOG | 0x155a30 | 0x294 | ump; data | ||
RT_DIALOG | 0x155cc4 | 0x8c | ump; data | ||
RT_DIALOG | 0x155d50 | 0x1a6 | ump; data | ||
RT_DIALOG | 0x155ef8 | 0x100 | ump; data | ||
RT_DIALOG | 0x155ff8 | 0x298 | ump; data | ||
RT_STRING | 0x156290 | 0x3ee | ump; data | ||
RT_STRING | 0x156680 | 0x37a | ump; DBase 3 data file | ||
RT_STRING | 0x1569fc | 0x934 | ump; data | ||
RT_STRING | 0x157330 | 0x940 | ump; DOS executable (COM) | ||
RT_STRING | 0x157c70 | 0x5e2 | ump; data | ||
RT_STRING | 0x158254 | 0x192 | ump; data | ||
RT_STRING | 0x1583e8 | 0xb54 | ump; data | ||
RT_STRING | 0x158f3c | 0x208 | ump; data | ||
RT_RCDATA | 0x159144 | 0x4f | ump; data | ||
RT_RCDATA | 0x159194 | 0x50 | ump; data | ||
RT_RCDATA | 0x1591e4 | 0x3a | ump; data | ||
RT_RCDATA | 0x159220 | 0x5c | ump; data | ||
RT_GROUP_ICON | 0x15927c | 0x16 | ump; MS Windows icon resource | ||
RT_MANIFEST | 0x159294 | 0x15a | ump; ASCII text, with CRLF line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
kernel32.dll | GetACP, GetModuleHandleA, GetProcAddress, GetVersion, ExitThread, Sleep, VirtualAlloc, VirtualProtect, LoadLibraryA, CreateThread, ExitProcess, SetLocalPrimaryComputerNameA, GetSystemTimeAdjustment, GetConsoleInputWaitHandle, GetProcessHandleCount, WritePrivateProfileStructW, SetThreadAffinityMask, FindActCtxSectionGuid, SetComputerNameExA, HeapDestroy |
comctl32.dll | InitCommonControls, ImageList_GetFlags, DefSubclassProc, DPA_DeleteAllPtrs, FlatSB_GetScrollRange, SetWindowSubclass, ImageList_ReplaceIcon, ImageList_Replace |
ole32.dll | OleUninitialize, OleInitialize, CoAllowSetForegroundWindow, CoPopServiceDomain, DllGetClassObject, CoGetClassVersion, CoGetSystemSecurityPermissions |
gdi32.dll | GdiSetBatchLimit, ClearBitmapAttributes, GetWorldTransform, GetMetaRgn, GdiConvertDC, GdiGetBitmapBitsSize, GetPolyFillMode, CombineRgn, GetGlyphIndicesW, PaintRgn, DdEntry24 |
msimg32.dll | TransparentBlt, AlphaBlend, vSetDdrawflag |
oledlg.dll | OleUIObjectPropertiesW, OleUIChangeSourceW, OleUIConvertA, OleUIUpdateLinksW, OleUIPromptUserW, OleUIEditLinksA, OleUIAddVerbMenuA, OleUICanConvertOrActivateAs, OleUIInsertObjectW, OleUIBusyA, OleUIChangeIconW, OleUIBusyW, OleUIUpdateLinksA |
winspool.drv | PerfCollect, EnumPrinterDataExA, SetPrinterDataExA, EnumFormsA, DocumentPropertiesW, EnumPortsW, EndDocPrinter |
imagehlp.dll | ImageEnumerateCertificates, SymGetSymFromName, MapDebugInformation, SymGetSymPrev, ImageGetDigestStream, SymGetLineNext |
oleacc.dll | AccessibleObjectFromEvent, GetOleaccVersionInfo, GetStateTextW, AccessibleObjectFromWindow, AccessibleChildren, CreateStdAccessibleObject, CreateStdAccessibleProxyW, IID_IAccessible |
shlwapi.dll | PathAppendA, SHOpenRegStream2W, SHRegGetPathW, PathRenameExtensionA, PathFindFileNameA, SHRegSetUSValueA, PathGetCharTypeA, PathFindNextComponentA, PathUnquoteSpacesA, AssocQueryStringA, PathIsUNCW |
shell32.dll | SHStartNetConnectionDialogW, FindExecutableW, SHPathPrepareForWriteA, CommandLineToArgvW, ShellExecuteEx, SHCloneSpecialIDList, RealShellExecuteA, SHGetNewLinkInfoW |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 11, 2019 19:19:05.048475981 MESZ | 49216 | 443 | 192.168.1.81 | 215.56.245.0 |
Apr 11, 2019 19:19:08.048301935 MESZ | 49216 | 443 | 192.168.1.81 | 215.56.245.0 |
Apr 11, 2019 19:19:14.047909975 MESZ | 49216 | 443 | 192.168.1.81 | 215.56.245.0 |
Apr 11, 2019 19:19:26.075037003 MESZ | 49217 | 443 | 192.168.1.81 | 174.60.72.9 |
Apr 11, 2019 19:19:29.063646078 MESZ | 49217 | 443 | 192.168.1.81 | 174.60.72.9 |
Apr 11, 2019 19:19:35.064271927 MESZ | 49217 | 443 | 192.168.1.81 | 174.60.72.9 |
Apr 11, 2019 19:19:47.072783947 MESZ | 49218 | 443 | 192.168.1.81 | 87.18.28.52 |
Apr 11, 2019 19:19:50.079416990 MESZ | 49218 | 443 | 192.168.1.81 | 87.18.28.52 |
Apr 11, 2019 19:19:56.079925060 MESZ | 49218 | 443 | 192.168.1.81 | 87.18.28.52 |
Apr 11, 2019 19:20:08.082268953 MESZ | 49219 | 443 | 192.168.1.81 | 150.132.134.24 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 19:17:15 |
Start date: | 11/04/2019 |
Path: | C:\Users\user\Desktop\xuy1.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 952320 bytes |
MD5 hash: | 9977310186F3DF14EE1C3D60EDBB9821 |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
General |
---|
Start time: | 19:18:13 |
Start date: | 11/04/2019 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xfd0000 |
File size: | 14848 bytes |
MD5 hash: | 432BE6CF7311062633459EEF6B242FB5 |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
General |
---|
Start time: | 19:18:14 |
Start date: | 11/04/2019 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4e0000 |
File size: | 44544 bytes |
MD5 hash: | 51138BEEA3E2C21EC44D0932C71762A8 |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|