100
Malicious
This predictive confidence of maliciousness for this sample is 100%.
0e46e7cb4bd9cd1a4dcd8b44ce08deba45786c84c54f6e1353fce990c22268ab
147.5 kB
2020-05-28 09:19:26
First seen 4 days ago
Windows PE32 Executable

Classification

Full Detail
Ransomware
High
Trojan
Low
Virus
Low
Banker
Low
Bot
Medium
Rat
Low
Adware
Low
Infostealer
Low
Worm
Low
Spyware
Low

Indicators

Expand All
SecondWrite Indicators
Forced Code Execution
Automatic Sequence Detection
Program Level Indicators
Anti-Analysis
Attempts to repeatedly call a single API many times in order to delay analysis time
Anti-Sandbox
A process attempted to delay the analysis task.
Anti-Vm
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
Av-Tools
One or more AV tool detects this sample as malicious: Ransom:Win32/Gandcrab.D!MTB
Bot
Connects to an IRC server, possibly part of a botnet
Bypass
Operates on local firewall's policies and settings
Generic
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Attempts to remove evidence of file being downloaded from the Internet
Network
Sample contacts servers at uncommon ports
Packer
The executable has PE anomalies (could be a false positive)
Allocates read-write-execute memory (usually to unpack itself)
The binary likely contains encrypted or compressed data.
Persistence
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup
Program-Level-Features
More than %50 of the external calls do not go through the import address table
Static
This sample contains high entropy sections
Anomalous binary characteristics
Stealth
Possible date expiration check, exits too soon after checking local time
Creates a hidden or system file
image/svg+xml

Yara

Yara Pattern Name Description
IsPE32 No Description Available
HasDebugData DebugData Check
HasRichSignature Rich Signature Check
ThreadControl__Context No Description Available
anti_dbg Checks if being debugged
win_files_operation Affect private profile

Static Analysis

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x0000bb7b 0x0000bc00 6.65216744814
.rdata 0x0000d000 0x000059f2 0x00005a00 4.93138969948
.data 0x00013000 0x00022018 0x00001000 1.38478414292
.gfids 0x00036000 0x000000ac 0x00000200 1.41055186055
.rsrc 0x00037000 0x00010098 0x00010200 7.13618944731
.reloc 0x00048000 0x00008000 0x00001200 6.54829755258

Resources

Name Offset Size Language Sub-language File type
ITF 0x00037558 0x00003d92 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_BITMAP 0x0003b2ec 0x00003928 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0004647c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0004647c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0004647c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0004647c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0004647c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0004647c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0004647c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0004647c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0004647c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_ICON 0x0004647c 0x00000468 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_STRING 0x00046e34 0x0000016c LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_STRING 0x00046e34 0x0000016c LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_STRING 0x00046e34 0x0000016c LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_STRING 0x00046e34 0x0000016c LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_STRING 0x00046e34 0x0000016c LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_STRING 0x00046e34 0x0000016c LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_STRING 0x00046e34 0x0000016c LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_STRING 0x00046e34 0x0000016c LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_STRING 0x00046e34 0x0000016c LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_STRING 0x00046e34 0x0000016c LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_GROUP_ICON 0x00046fc4 0x00000076 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_GROUP_ICON 0x00046fc4 0x00000076 LANG_NEUTRAL SUBLANG_NEUTRAL None
RT_VERSION 0x0004703c 0x0000005c LANG_NEUTRAL SUBLANG_NEUTRAL None

Imports

Library KERNEL32.dll:

  • CloseHandle
  • CreateFileW
  • DecodePointer
  • DeleteCriticalSection
  • EnterCriticalSection
  • ExitProcess
  • FindClose
  • FindFirstFileExA
  • FindNextFileA
  • FlushFileBuffers
  • FlushViewOfFile
  • FreeEnvironmentStringsW
  • FreeLibrary
  • GetACP
  • GetCommandLineA
  • GetCommandLineW
  • GetConsoleCP
  • GetConsoleMode
  • GetCPInfo
  • GetCurrentProcess
  • GetCurrentProcessId
  • GetCurrentThreadId
  • GetDefaultCommConfigW
  • GetEnvironmentStringsW
  • GetFileType
  • GetLastError
  • GetModuleFileNameA
  • GetModuleFileNameW
  • GetModuleHandleExW
  • GetModuleHandleW
  • GetOEMCP
  • GetProcAddress
  • GetProcessHeap
  • GetStartupInfoW
  • GetStdHandle
  • GetStringTypeW
  • GetSystemTimeAsFileTime
  • GetTempPathA
  • GlobalAlloc
  • HeapAlloc
  • HeapFree
  • HeapReAlloc
  • HeapSize
  • InitializeCriticalSectionAndSpinCount
  • InitializeSListHead
  • IsDebuggerPresent
  • IsProcessorFeaturePresent
  • IsValidCodePage
  • LCMapStringW
  • LeaveCriticalSection
  • LoadLibraryA
  • LoadLibraryExW
  • MapViewOfFile
  • MultiByteToWideChar
  • QueryPerformanceCounter
  • RaiseException
  • ReadConsoleW
  • ReadFile
  • RtlUnwind
  • SetCommMask
  • SetConsoleCP
  • SetConsoleMode
  • SetFilePointerEx
  • SetFileShortNameA
  • SetLastError
  • SetStdHandle
  • SetThreadContext
  • SetUnhandledExceptionFilter
  • TerminateProcess
  • TlsAlloc
  • TlsFree
  • TlsGetValue
  • TlsSetValue
  • UnhandledExceptionFilter
  • VirtualProtect
  • WideCharToMultiByte
  • WriteConsoleW
  • WriteFile

Library GDI32.dll:

  • PathToRegion
  • ResetDCA

Library MSIMG32.dll:

  • TransparentBlt

Strings

  • !This program cannot be run in DOS mode.
  • !^Rich
  • `.rdata
  • @.data
  • .gfids
  • @.rsrc
  • @.reloc
  • WWWWWWWWWWW
  • t!h(4A
  • URPQQh@"@
  • ;t$,v-
  • UQPXY]Y[
  • WWWPWS
  • u-PWWS
  • SSVWh
  • f9:t!V
  • QQSWj0j@
  • tl=0;A
  • j,hX!A
  • D8(HXt:f
  • D8(Ht5F
  • PPPPPWS
  • PP9E u:PPVWP
  • PPPPPPPP
  • yeyazedexisu
  • doyomuhosade gumofipasicajocowenodi pececidujuciyexawekoza
  • rixecufazukofatepaxudocagigi yovekesodoxofezavuyu bokejuniku
  • kernel32.dll
  • FlsAlloc
  • FlsFree
  • FlsGetValue
  • FlsSetValue
  • InitializeCriticalSectionEx
  • __based(
  • __cdecl
  • __pascal
  • __stdcall
  • __thiscall
  • __fastcall
  • __vectorcall
  • __clrcall
  • __eabi
  • __ptr64
  • __restrict
  • __unaligned
  • restrict(
  • delete
  • operator
  • `vftable'
  • `vbtable'
  • `vcall'
  • `typeof'
  • `local static guard'
  • `string'
  • `vbase destructor'
  • `vector deleting destructor'
  • `default constructor closure'
  • `scalar deleting destructor'
  • `vector constructor iterator'
  • `vector destructor iterator'
  • `vector vbase constructor iterator'
  • `virtual displacement map'
  • `eh vector constructor iterator'
  • `eh vector destructor iterator'
  • `eh vector vbase constructor iterator'
  • `copy constructor closure'
  • `udt returning'
  • `local vftable'
  • `local vftable constructor closure'
  • new[]
  • delete[]
  • `omni callsig'
  • `placement delete closure'
  • `placement delete[] closure'
  • `managed vector constructor iterator'
  • `managed vector destructor iterator'
  • `eh vector copy constructor iterator'
  • `eh vector vbase copy constructor iterator'
  • `dynamic initializer for '
  • `dynamic atexit destructor for '
  • `vector copy constructor iterator'
  • `vector vbase copy constructor iterator'
  • `managed vector copy constructor iterator'
  • `local static thread guard'
  • operator ""
  • Type Descriptor'
  • Base Class Descriptor at (
  • Base Class Array'
  • Class Hierarchy Descriptor'
  • Complete Object Locator'
  • CorExitProcess
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
  • January
  • February
  • August
  • September
  • October
  • November
  • December
  • MM/dd/yy
  • dddd, MMMM dd, yyyy
  • HH:mm:ss
  • GetCurrentPackageId
  • LCMapStringEx
  • LocaleNameToLCID
  •  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
  •  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
  • ?5Wg4p
  • %S#[k=
  • "B <1=
  • _hypot
  • _nextafter
  • .text$mn
  • .idata$5
  • .00cfg
  • .CRT$XCA
  • .CRT$XCAA
  • .CRT$XCZ
  • .CRT$XIA
  • .CRT$XIAA
  • .CRT$XIAC
  • .CRT$XIC
  • .CRT$XIZ
  • .CRT$XLA
  • .CRT$XLZ
  • .CRT$XPA
  • .CRT$XPX
  • .CRT$XPXA
  • .CRT$XPZ
  • .CRT$XTA
  • .CRT$XTZ
  • .rdata
  • .rdata$T
  • .rdata$sxdata
  • .rdata$zzzdbg
  • .rtc$IAA
  • .rtc$IZZ
  • .rtc$TAA
  • .rtc$TZZ
  • .xdata$x
  • .idata$2
  • .idata$3
  • .idata$4
  • .idata$6
  • .tls$ZZZ
  • .gfids$x
  • .gfids$y
  • .rsrc$01
  • .rsrc$02
  • GlobalAlloc
  • VirtualProtect
  • SetLastError
  • SetThreadContext
  • FlushFileBuffers
  • SetFileShortNameA
  • SetCommMask
  • MapViewOfFile
  • FlushViewOfFile
  • LoadLibraryA
  • GetModuleFileNameW
  • GetTempPathA
  • GetDefaultCommConfigW
  • SetConsoleMode
  • SetConsoleCP
  • KERNEL32.dll
  • ResetDCA
  • PathToRegion
  • GDI32.dll
  • TransparentBlt
  • MSIMG32.dll
  • QueryPerformanceCounter
  • GetCurrentProcessId
  • GetCurrentThreadId
  • GetSystemTimeAsFileTime
  • InitializeSListHead
  • IsDebuggerPresent
  • UnhandledExceptionFilter
  • SetUnhandledExceptionFilter
  • GetStartupInfoW
  • IsProcessorFeaturePresent
  • GetModuleHandleW
  • GetCurrentProcess
  • TerminateProcess
  • RtlUnwind
  • GetLastError
  • EnterCriticalSection
  • LeaveCriticalSection
  • DeleteCriticalSection
  • InitializeCriticalSectionAndSpinCount
  • TlsAlloc
  • TlsGetValue
  • TlsSetValue
  • TlsFree
  • FreeLibrary
  • GetProcAddress
  • LoadLibraryExW
  • GetStdHandle
  • WriteFile
  • GetModuleFileNameA
  • MultiByteToWideChar
  • WideCharToMultiByte
  • ExitProcess
  • GetModuleHandleExW
  • GetACP
  • HeapFree
  • HeapAlloc
  • GetConsoleCP
  • GetConsoleMode
  • GetFileType
  • ReadFile
  • CloseHandle
  • FindClose
  • FindFirstFileExA
  • FindNextFileA
  • IsValidCodePage
  • GetOEMCP
  • GetCPInfo
  • GetCommandLineA
  • GetCommandLineW
  • GetEnvironmentStringsW
  • FreeEnvironmentStringsW
  • LCMapStringW
  • SetStdHandle
  • GetStringTypeW
  • GetProcessHeap
  • SetFilePointerEx
  • WriteConsoleW
  • ReadConsoleW
  • HeapSize
  • HeapReAlloc
  • CreateFileW
  • DecodePointer
  • RaiseException
  • abcdefghijklmnopqrstuvwxyz
  • ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • abcdefghijklmnopqrstuvwxyz
  • ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • b{F'F.z
  • p|"_|?Qo
  • Qq.>KJU
  • Nj]MRO
  • k%PNRv
  • @|UC)i
  • A72L4:
  • 49'g9?;
  • vi^"y;
  • x~+;@
  • /Mw0Nu5`:L
  • :;{)`-Vu
  • nz;\1d
  • Qrr|P"j`
  • Pi\0&kkbI
  • n~|h~{b>l
  • ZDG&H/c
  • B7i*3j@7
  • nGwH1r
  • OPoK+L
  • a0!e71
  • x<6%{b5h
  • @T(:9H
  • Oz;*:(
  • ry8MZYD
  • b+Y2+Y2+
  • b+Y2+Y2+Y2+
  • b+Y2+Y2+Y2+Y2!C
  • b+Y2+Y2+Y2+Y2+Y2+Y2!C
  • b+Y2+Y2+Y2+Y2+Y2+Y2+Y2!C
  • b+Y2+Y2+Y2+Y2+Y2+Y2+Y2+Y2f/
  • >:+Y2+Y2+Y2+Y2+Y2+Y2f/
  • +Y2+Y2+Y2+Y2f/
  • +Y2+Y2+Y2f/
  • +Y2+Y2f/
  • zzzzVVV
  • $$$$$$$$$$$$$$$$$$$$$$
  • $$$$$$$$$$$$$$
  • $$$$$$$$$$$
  • $$$$$$$$$$
  • <$$$$$$$$$$$
  • }$$$$$$
  • }$$$$$
  • }}F}$}$}
  • $}$}}$
  • $}$}}}
  • }}}}}}
  • }}}}}$
  • 2s}b}2222
  • $$$$$$$$
  • @@@}@:}}
  • }}$$$$$$$$$$
  • $$}}$}$
  • $$$$$$
  • }$$$$$
  • }$}$}}$}$
  • $$$}$$$$$$$$$
  • }$$$$$$
  • 4)4)xx)
  • iiii)iiiii
  • iiiiii)i
  • 44)iiix
  • iSiiiii
  • 4)iiiiiex
  • i)xiii
  • SiSeeiiii
  • 44iiiii4xiii
  • iiiiii
  • 4444S4
  • )4.44))iii
  • UUUUUL
  • ULLLLLLU
  • #!!+dXW@
  • %!%#"#2
  • /(# +& (*
  • 3$"(
  • $9'! *
  • " %!"
  • + 0$))1%$",
  • % !/"!
  • -#&*+$
  • " #5!$%2!!"6
  • %!( '$
  • ##+% (
  • ,$%%(
  • )&'-!
  • "$(6!!
  • !#!-*%"'
  • +! +!
  • "(& " (
  • #7wlxF!
  • ~._pr7
  • ! 4"
  • )!'owm=
  • #3("(.
  • %".#"%)
  • ;'! )"
  • EDDE^~~
  • ZXMtrukM
  • ?*%!*$*
  • N`)6h]_
  • +?`'+~
  • 0AS++
  • 0!%%#~
  • 1;U!*y
  • ,f_lx~
  • CCE5KED`
  • gmozF9KB-1(
  • 2%#0
  • ! .>N
  • ;P#.DL.w~
  • ~'!MY*:EW".
  • *% !*!!
  • ;78&~~
  • %&x~&#
  • '@O%->[
  • 3=R')>V
  • cucY|~#'t
  • ,ZokJz
  • ~$~~!(
  • )BR2>U&1
  • ) ;Y&4
  • FR-1$ 4|
  • |!(%%$-
  • %'%-$,
  • 0(0/0L0R0W0o0
  • 1"1/151;1J1P1U1k1u1
  • 2"2>2D2J2Q2W2e2l2x2
  • 3.4\4m4r4w4
  • 8/8;8J8S8`8
  • :-:S:k:q:
  • ;<<E<M<
  • =$=:=C=N=U=u={=
  • > >0>@>I>
  • >7???Q?
  • 3+353C3^3o3{3
  • 4V4f4}4
  • 5&5+505W5`5e5j5
  • 6.686]6o6{6
  • ;&=<=^=l=
  • >(>f>p>v>|>
  • )1\1a1
  • 3!3=3F3
  • 4,4?4[4
  • 6"6+6<6N6i6
  • 6$717<7F7L7`7l7
  • 8#8+8|8#9D9
  • <"<.<G<Z<
  • >$?*?I?b?
  • 2$3[3z3
  • :.:C:Z:}:
  • %070m0
  • 1#2S2v2T3a4
  • 8]8Y9m9
  • ;#;>;J;[;d;
  • <,<6<Y<c<
  • 2,212F2y2
  • 6"696i6~6
  • 9":H:j:
  • :;8;G;S;a;
  • <%<A<L<Q<V<q<{<
  • =&=6=R=]=b=g=
  • >0>;>H>]>h>|>
  • 0!0>0F0o0v0
  • 202B2T2f2x2
  • :%;C;N;
  • ;.<;<H<U<l<3=
  • 5/565L5b5o5t5
  • 7e7"8@8c8p8{8
  • <<<E=i=
  • >C>`>t>
  • 9G:M:Z:e:u:
  • ?%?.?@?s?
  • 112=2Q2]2i2
  • 33/3;3J3N4
  • 9,9=9E9U9f9
  • ;U;a;m;y;
  • 0C1^1t1
  • :R=n=D>W>u>
  • 10h0o0t0x0|0
  • 1 1$1(1,1
  • P1X1d1h1l1p1t1
  • 1<2@2D2H2L2P2`3d3h3l3p3t3x3|3
  • 4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
  • 1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1|1
  • 2 2$2(2,2024282p2t2x2|2
  • >$>,>4><>D>L>T>\>d>l>t>|>
  • ?$?,?4?<?D?L?T?\?d?l?t?|?
  • 0$0,040<0D0L0T0\0d0l0t0|0
  • 1$1,141<1D1L1T1\1d1l1t1|1
  • 2$2,242<2D2L2T2\2d2l2t2|2
  • 3$3,343<3D3L3T3\3d3l3t3|3
  • 4$4,444<4D4L4T4\4d4l4t4|4
  • ? ?(?0?8?@?H?P?X?`?h?p?x?
  • 0 0(00080@0H0P0X0`0h0p0x0
  • 1 1(10181@1H1P1X1`1h1p1x1
  • 2 2(20282@2H2P2X2`2h2p2x2
  • 3 3(30383@3H3P3X3`3h3p3x3
  • 4 4(40484@4H4P4X4`4h4p4x4
  • 5 5(50585@5H5P5X5`5h5p5x5
  • l9t9|9
  • :$:,:4:<:D:L:
  • ?(?0?4?P?p?
  • 000P0p0
  • 101P1p1
  • 202P2l2p2
  • 5 ;0;4;8;<;@;D;H;L;P;T;`;d;h;l;p;t;x;|;
  • @advapi32
  • api-ms-win-core-fibers-l1-1-1
  • api-ms-win-core-synch-l1-2-0
  • kernel32
  • mscoree.dll
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
  • January
  • February
  • August
  • September
  • October
  • November
  • December
  • MM/dd/yy
  • dddd, MMMM dd, yyyy
  • HH:mm:ss
  • @ja-JP
  • @api-ms-win-appmodel-runtime-l1-1-1
  • api-ms-win-core-datetime-l1-1-1
  • api-ms-win-core-file-l2-1-1
  • api-ms-win-core-localization-l1-2-1
  • api-ms-win-core-localization-obsolete-l1-2-0
  • api-ms-win-core-processthreads-l1-1-2
  • api-ms-win-core-string-l1-1-0
  • api-ms-win-core-sysinfo-l1-2-1
  • api-ms-win-core-winrt-l1-1-0
  • api-ms-win-core-xstate-l2-1-0
  • api-ms-win-rtcore-ntuser-window-l1-1-0
  • api-ms-win-security-systemfunctions-l1-1-0
  • ext-ms-win-kernel32-package-current-l1-1-0
  • ext-ms-win-ntuser-dialogbox-l1-1-0
  • ext-ms-win-ntuser-windowstation-l1-1-0
  • user32
  • ((((( H
  • zh-CHS
  • az-AZ-Latn
  • uz-UZ-Latn
  • kok-IN
  • syr-SY
  • div-MV
  • quz-BO
  • sr-SP-Latn
  • az-AZ-Cyrl
  • uz-UZ-Cyrl
  • quz-EC
  • sr-SP-Cyrl
  • quz-PE
  • smj-NO
  • bs-BA-Latn
  • smj-SE
  • sr-BA-Latn
  • sma-NO
  • sr-BA-Cyrl
  • sma-SE
  • sms-FI
  • smn-FI
  • zh-CHT
  • az-az-cyrl
  • az-az-latn
  • bs-ba-latn
  • div-mv
  • kok-in
  • quz-bo
  • quz-ec
  • quz-pe
  • sma-no
  • sma-se
  • smj-no
  • smj-se
  • smn-fi
  • sms-fi
  • sr-ba-cyrl
  • sr-ba-latn
  • sr-sp-cyrl
  • sr-sp-latn
  • syr-sy
  • uz-uz-cyrl
  • uz-uz-latn
  • zh-chs
  • zh-cht
  • CONOUT$
  • IBekopu kafo loze piyiwayayehacu benegijuguda nepikotigodi muwusocudi wuze
  • Mike vasohirovaco
  • KJitezapu vayitolohu rejevutusi bebici xidu sawericeci zaxafixobamo yevetiza
  • Pisagi bepisa
  • To xiwucatojosu
  • Zaha viwexepeniwane
  • [Gikicudo soyihuruya deya fipihaja bonorexokene vekivuba kivekesaxulu civavu hufi razepibomi
  • Bawesacavawi cewecotu
  • 4Wijaharoraju cozibubajo cejedamaca viyeyojelefuwa ho
  • dKenonohu wumiputedi mabozodeseyile mejevuxo tipufite yiyapelitayazu kesijavobo hisabiyohoxu cojanuka
  • Cehuhoni vasowomaza
  • $Tuya dole zosiwayuhumu ni ciduladipi
  • YBabagewoxo docesapaja ye yazedexisu doyo muhosadegu mofipasica joco wenodipececi dujuciye
  • MXawekoza rixecufazukofa tepa xu docagigiyove kesodoxofeza vuyubo kejunikudihu
  • VS_VERSION_INFO

Network

IRC Requests

Command Params Type
NICK 
`|USA|leqwibbu
 
client
USER 
x "" "x" :x
 
client

Hosts Involved

IP Address Country of Origin
92.63.197.106 RU
216.58.206.238 US

Geolocation

Destination Country

US:
50%
RU:
50%
AfghanistanAngolaAlbaniaAlandAndorraUnited Arab EmiratesArgentinaArmeniaAntarcticaFr. S. Antarctic LandsAustraliaAustriaAzerbaijanBurundiBelgiumBeninBurkina FasoBangladeshBulgariaBahrainBahamasBosnia and Herz.BelarusBelizeBoliviaBrazilBarbadosBruneiBhutanBotswanaCentral African Rep.CanadaSwitzerlandChileChinaCôte d'IvoireCameroonCyprus U.N. Buffer ZoneDem. Rep. CongoCongoColombiaComorosCape VerdeCosta RicaCubaCuraçaoN. CyprusCyprusCzech Rep.GermanyDjiboutiDominicaDenmarkDominican Rep.AlgeriaEcuadorEgyptEritreaDhekeliaSpainEstoniaEthiopiaFinlandFijiFalkland Is.FranceFaeroe Is.MicronesiaGabonUnited KingdomGeorgiaGhanaGibraltarGuineaGambiaGuinea-BissauEq. GuineaGreeceGrenadaGreenlandGuatemalaGuamGuyanaHong KongHeard I. and McDonald Is.HondurasCroatiaHaitiHungaryIndonesiaIsle of ManIndiaIrelandIranIraqIcelandIsraelItalyJamaicaJordanJapanBaikonurSiachen GlacierKazakhstanKenyaKyrgyzstanCambodiaKiribatiKoreaKosovoKuwaitLao PDRLebanonLiberiaLibyaSaint LuciaLiechtensteinSri LankaLesothoLithuaniaLuxembourgLatviaSt-MartinMoroccoMonacoMoldovaMadagascarMexicoMacedoniaMaliMyanmarMontenegroMongoliaMozambiqueMauritaniaMauritiusMalawiMalaysiaNamibiaNew CaledoniaNigerNigeriaNicaraguaNetherlandsNorwayNepalNew ZealandOmanPakistanPanamaPeruPhilippinesPalauPapua New GuineaPolandPuerto RicoDem. Rep. KoreaPortugalParaguayPalestineFr. PolynesiaQatarRomaniaRussia Percent of Connections: 50%RwandaW. SaharaSaudi ArabiaSudanS. SudanSenegalSingaporeS. Geo. and S. Sandw. Is.Solomon Is.Sierra LeoneEl SalvadorSan MarinoSomalilandSomaliaSerbiaSão Tomé and PrincipeSurinameSlovakiaSloveniaSwedenSwazilandSint MaartenSyriaChadTogoThailandTajikistanTurkmenistanTimor-LesteTongaTrinidad and TobagoTunisiaTurkeyTaiwanTanzaniaUgandaUkraineUruguayUnited States Percent of Connections: 50%USNB Guantanamo BayUzbekistanVaticanSt. Vin. and Gren.VenezuelaVietnamVanuatuAkrotiriSamoaYemenSouth AfricaZambiaZimbabwe89%78%67%56%44%33%22%11%0%100%

File

Type
PE32 executable (GUI) Intel 80386, for MS Windows
CRC32
8E9DC327
MD5
fec07e0949b34a367f2b8b1ff668f7eb
SHA1
608060884ac38b3c4fd12372d7fcfa75119c14cd
SHA256
0e46e7cb4bd9cd1a4dcd8b44ce08deba45786c84c54f6e1353fce990c22268ab
SHA512
164f2893a99a2d9f5a0b96c6f8bc17868d83a53349005f80e9cd3935c1c4cfcec9bd366e052da49f24cf2832465150e802396db597b8aed5013c36cc1141c22d
Ssdeep
1536:VoYk/5AneeJ2RBJXsIvi2vyDDqN7gQmIsWjcdvw5T8kSg3j/1777777y0GAUCNcF:VJ21X7jXgLvwaCJitxprH
PEiD
None matched

Screenshots

Behavior Summary

File-Deleted

  • C:\Users\Virtual\AppData\Local\Temp\0e46e7cb4bd9cd1a4dcd8b44ce08deba45786c84c54f6e1353fce990c22268ab.exe:Zone.Identifier
  • C:\Windows\M-5050050640745700375076006680\winmgr.exe:Zone.Identifier

File-Opened

  • C:\Windows\M-5050050640745700375076006680\winmgr.exe

File-Copied

  • C:\Users\Virtual\AppData\Local\Temp\0e46e7cb4bd9cd1a4dcd8b44ce08deba45786c84c54f6e1353fce990c22268ab.exe -> C:\Windows\M-5050050640745700375076006680\winmgr.exe

Network-Connects IP

  • 92.63.197.106

Directory-Created

  • C:\Windows\M-5050050640745700375076006680

Registry Key-Opened

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Registry Key-Read

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress

Registry Key-Written

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager

Mutex-Accessed

  • t2

Processes

Name: winmgr.exePID: 2488Name: 0e46e7cb4bd9cd1a4dc 8b44ce08deba...PID: 2432System
Process Name PID Parent PID