Malicious
Classifications
-
Threat Names
-
Dynamic Analysis Report
Created on 2024-05-15T16:32:29+00:00
1ade684a71883ac0cfe159c2b7568c62.virus.exe
Windows Exe (x86-32)
Remarks (2/3)
(0x0200003A): A tasks were rescheduled ahead of time to reveal dormant functionality.
(0x0200000E): The overall sleep time of all monitored processes was truncated from "49 days, 17 hours, 8 minutes, 57 seconds" to "20 seconds" to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\kEecfMwgj\Desktop\1ade684a71883ac0cfe159c2b7568c62.virus.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Malicious
|
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0073218E |
Size Of Code | 0x00330200 |
Size Of Initialized Data | 0x00003600 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-05-04 18:03 (UTC+2) |
Version Information (8)
»
ProductName | 4LLAH27Dpt |
CompanyName | FtcWyXuoC6rfB2xxSt7 |
InternalName | Q0g7KZwRjxGgzoxZBZqi3N.exe |
LegalCopyright | VqoKHWIgodcWO0nMF5P1S |
Comments | m3eHVl3EZmCJSudOU5oFoB8Ly |
OriginalFilename | NMUsgVZusgl9AZctN.exe |
ProductVersion | 915.415.784.739 |
FileVersion | 904.799.775.935 |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00330194 | 0x00330200 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.77 |
.sdata | 0x00734000 | 0x00002FDF | 0x00003000 | 0x00330600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.24 |
.rsrc | 0x00738000 | 0x000003D0 | 0x00000400 | 0x00333600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.71 |
.reloc | 0x0073A000 | 0x0000000C | 0x00000200 | 0x00333A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x00332168 | 0x00330568 | 0x00000000 |
Memory Dumps (118)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
1ade684a71883ac0cfe159c2b7568c62.virus.exe | 1 | 0x001F0000 | 0x0052BFFF | Relevant Image |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x001B0000 | 0x001B7FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x001C0000 | 0x001C7FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x001D0000 | 0x001D0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00530000 | 0x00544FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x001E0000 | 0x001E0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x005D0000 | 0x005D9FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x001E0000 | 0x001E0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023A0000 | 0x023B0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x005E0000 | 0x005E0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023A0000 | 0x023B0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00960000 | 0x00969FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x005E0000 | 0x005E0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023A0000 | 0x023B0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023C0000 | 0x023C4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00960000 | 0x00969FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x005E0000 | 0x005E0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023A0000 | 0x023B0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023D0000 | 0x0241FFFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023C0000 | 0x023C4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00960000 | 0x00969FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x005E0000 | 0x005E0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023A0000 | 0x023B0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02420000 | 0x02426FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023D0000 | 0x0241FFFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023C0000 | 0x023C4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00960000 | 0x00969FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x005E0000 | 0x005E0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023A0000 | 0x023B0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02430000 | 0x02431FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02420000 | 0x02426FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023D0000 | 0x0241FFFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023C0000 | 0x023C4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00960000 | 0x00969FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x005E0000 | 0x005E0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023A0000 | 0x023B0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02440000 | 0x02445FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02430000 | 0x02431FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02420000 | 0x02426FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023D0000 | 0x0241FFFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023C0000 | 0x023C4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00960000 | 0x00969FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x005E0000 | 0x005E0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023A0000 | 0x023B0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1A9D0000 | 0x1A9D1FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02440000 | 0x02445FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02430000 | 0x02431FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02420000 | 0x02426FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023D0000 | 0x0241FFFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023C0000 | 0x023C4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00960000 | 0x00969FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x005E0000 | 0x005E0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023A0000 | 0x023B0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1A9E0000 | 0x1A9EBFFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1A9D0000 | 0x1A9D1FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02440000 | 0x02445FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02430000 | 0x02431FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x02420000 | 0x02426FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023D0000 | 0x0241FFFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023C0000 | 0x023C4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00960000 | 0x00969FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x005E0000 | 0x005E0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x023A0000 | 0x023B0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1AA10000 | 0x1AA15FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1AEF0000 | 0x1AEF4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1AA10000 | 0x1AA15FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B000000 | 0x1B006FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B010000 | 0x1B016FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B000000 | 0x1B006FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B130000 | 0x1B131FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B010000 | 0x1B016FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B000000 | 0x1B006FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0A0000 | 0x1B0A4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B130000 | 0x1B131FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B010000 | 0x1B016FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B000000 | 0x1B006FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0B0000 | 0x1B0B8FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0A0000 | 0x1B0A4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B130000 | 0x1B131FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B010000 | 0x1B016FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B000000 | 0x1B006FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0C0000 | 0x1B0C0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0B0000 | 0x1B0B8FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0A0000 | 0x1B0A4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B130000 | 0x1B131FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B010000 | 0x1B016FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B000000 | 0x1B006FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0D0000 | 0x1B0D7FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0C0000 | 0x1B0C0FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0B0000 | 0x1B0B8FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0A0000 | 0x1B0A4FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B130000 | 0x1B131FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B010000 | 0x1B016FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B000000 | 0x1B006FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0E0000 | 0x1B0E5FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0F0000 | 0x1B0F1FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0E0000 | 0x1B0E5FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B100000 | 0x1B103FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0F0000 | 0x1B0F1FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B0E0000 | 0x1B0E5FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x1B110000 | 0x1B115FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
1ade684a71883ac0cfe159c2b7568c62.virus.exe | 1 | 0x001F0000 | 0x0052BFFF | Final Dump |
![]() |
64-bit | - |
![]() |
...
|
1ade684a71883ac0cfe159c2b7568c62.virus.exe | 1 | 0x001F0000 | 0x0052BFFF | Process Termination |
![]() |
64-bit | - |
![]() |
...
|
centralcreditcard.exe | 53 | 0x00DC0000 | 0x010FBFFF | Relevant Image |
![]() |
64-bit | - |
![]() |
...
|
1ade684a71883ac0cfe159c2b7568c62.virus.exe | 52 | 0x00A20000 | 0x00D5BFFF | Relevant Image |
![]() |
64-bit | - |
![]() |
...
|
order.exe | 51 | 0x01220000 | 0x0155BFFF | Relevant Image |
![]() |
64-bit | - |
![]() |
...
|
taskhost.exe | 48 | 0x00170000 | 0x004ABFFF | Relevant Image |
![]() |
64-bit | - |
![]() |
...
|
ncftp.exe | 54 | 0x00C40000 | 0x00F7BFFF | Relevant Image |
![]() |
64-bit | - |
![]() |
...
|
buffer | 54 | 0x003C0000 | 0x003C7FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 48 | 0x00570000 | 0x00577FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 53 | 0x003D0000 | 0x003D7FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 52 | 0x00960000 | 0x00967FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
buffer | 51 | 0x00130000 | 0x00137FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
order.exe | 51 | 0x01220000 | 0x0155BFFF | Final Dump |
![]() |
64-bit | - |
![]() |
...
|
1ade684a71883ac0cfe159c2b7568c62.virus.exe | 52 | 0x00A20000 | 0x00D5BFFF | Final Dump |
![]() |
64-bit | - |
![]() |
...
|
taskhost.exe | 48 | 0x00170000 | 0x004ABFFF | Final Dump |
![]() |
64-bit | - |
![]() |
...
|
centralcreditcard.exe | 53 | 0x00DC0000 | 0x010FBFFF | Final Dump |
![]() |
64-bit | - |
![]() |
...
|
ncftp.exe | 54 | 0x00C40000 | 0x00F7BFFF | Final Dump |
![]() |
64-bit | - |
![]() |
...
|
C:\MSOCache\All Users\{90160000-0044-0409-1000-0000000FF1CE}-C\ncftp.exe | Dropped File | Binary |
Suspicious
|
...
|
»
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0073218E |
Size Of Code | 0x00330200 |
Size Of Initialized Data | 0x00003600 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-05-04 18:03 (UTC+2) |
Version Information (8)
»
ProductName | UvZS9I8M1tW |
CompanyName | KP8UN5vk1WvCXxAzA4mF92 |
InternalName | DW65STCfqVyntCTgoJGr7AX5PI.exe |
LegalCopyright | M6gRzSW58 |
Comments | 9tXmzVj15 |
OriginalFilename | jjQR63Y5D8AhJDmj.exe |
ProductVersion | 856.474.939.803 |
FileVersion | 981.746.20.647 |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00330194 | 0x00330200 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.77 |
.sdata | 0x00734000 | 0x00002FDF | 0x00003000 | 0x00330600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.24 |
.rsrc | 0x00738000 | 0x000003A8 | 0x00000400 | 0x00333600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.76 |
.reloc | 0x0073A000 | 0x0000000C | 0x00000200 | 0x00333A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x00332168 | 0x00330568 | 0x00000000 |
Memory Dumps (3)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
ncftp.exe | 54 | 0x00C40000 | 0x00F7BFFF | Relevant Image |
![]() |
64-bit | - |
![]() |
...
|
buffer | 54 | 0x003C0000 | 0x003C7FFF | Reflectively Loaded .NET Assembly |
![]() |
64-bit | - |
![]() |
...
|
ncftp.exe | 54 | 0x00C40000 | 0x00F7BFFF | Final Dump |
![]() |
64-bit | - |
![]() |
...
|
c:\windows\system\rcx51b.tmp | Dropped File | Binary |
Clean
|
...
|
»
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0073218E |
Size Of Code | 0x00330200 |
Size Of Initialized Data | 0x00003800 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-05-04 18:03 (UTC+2) |
Version Information (8)
»
ProductName | 1sPEv7djD2eKrOgc |
CompanyName | nwU98RZpSLz5p3lEz4 |
InternalName | Us6f7ImA2VFMUFaDw1y2T0yrc3cr.exe |
LegalCopyright | xGxUjw81nX0IQuNN9Ym9mQMNCftFr |
Comments | DXWAIPV2ggdLfrhzDTSPvy5tKt |
OriginalFilename | uSC72Y6TevQY72HzLWfdliSaKbN.exe |
ProductVersion | 169.861.896.195 |
FileVersion | 560.442.984.864 |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00330194 | 0x00330200 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.77 |
.sdata | 0x00734000 | 0x00002FDF | 0x00003000 | 0x00330600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.24 |
.rsrc | 0x00738000 | 0x00000410 | 0x00000600 | 0x00333600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.09 |
.reloc | 0x0073A000 | 0x0000000C | 0x00000200 | 0x00333C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x00332168 | 0x00330568 | 0x00000000 |
c:\recovery\d327d5c2-7147-11eb-9862-d731c5aaa7a9\rcxff8.tmp | Dropped File | Binary |
Clean
|
...
|
»
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0073218E |
Size Of Code | 0x00330200 |
Size Of Initialized Data | 0x00003600 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-05-04 18:03 (UTC+2) |
Version Information (8)
»
ProductName | yXBSww4mSLTELgfyr3ruTOw4nHbb |
CompanyName | qI1E9rO74sjNtH3ZeHy1zK6FgfR5 |
InternalName | rUgH2.exe |
LegalCopyright | Dw9LKZopRbSnGitVAS6NQMvqWM |
Comments | 1qRCFdO07r |
OriginalFilename | UwKahRVmKXdHUVLgs0hpm8GkJ9x.exe |
ProductVersion | 647.832.562.170 |
FileVersion | 299.159.489.240 |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00330194 | 0x00330200 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.77 |
.sdata | 0x00734000 | 0x00002FDF | 0x00003000 | 0x00330600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.24 |
.rsrc | 0x00738000 | 0x000003E8 | 0x00000400 | 0x00333600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.65 |
.reloc | 0x0073A000 | 0x0000000C | 0x00000200 | 0x00333A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x00332168 | 0x00330568 | 0x00000000 |
c:\users\keecfmwgj\desktop\rcxea91.tmp | Dropped File | Binary |
Clean
|
...
|
»
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0073218E |
Size Of Code | 0x00330200 |
Size Of Initialized Data | 0x00003600 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-05-04 18:03 (UTC+2) |
Version Information (8)
»
ProductName | fyi |
CompanyName | N7 |
InternalName | 0YG8aYFfLajZU.exe |
LegalCopyright | KgTBGGlGvXNmxTUJbeLtK5l3z1db |
Comments | iYrnGe0N9G1k |
OriginalFilename | dlxxgcTBbNNmcP5qSPt4lP.exe |
ProductVersion | 129.77.893.140 |
FileVersion | 260.709.428.572 |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00330194 | 0x00330200 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.77 |
.sdata | 0x00734000 | 0x00002FDF | 0x00003000 | 0x00330600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.24 |
.rsrc | 0x00738000 | 0x00000390 | 0x00000400 | 0x00333600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.77 |
.reloc | 0x0073A000 | 0x0000000C | 0x00000200 | 0x00333A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x00332168 | 0x00330568 | 0x00000000 |
c:\users\default\desktop\rcxa5b.tmp | Dropped File | Binary |
Clean
|
...
|
»
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0073218E |
Size Of Code | 0x00330200 |
Size Of Initialized Data | 0x00003600 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-05-04 18:03 (UTC+2) |
Version Information (8)
»
ProductName | sjzbkKM6v4UXhczHu1 |
CompanyName | 99evFK |
InternalName | xA5ZxsEiIyfm4oUVbPemqblzU.exe |
LegalCopyright | LnaJ3gf1ZMBXKzTIfOtj6dg |
Comments | gufUZ7RLE8qP68s8MDI |
OriginalFilename | UqFlu.exe |
ProductVersion | 852.643.355.810 |
FileVersion | 93.557.457.861 |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00330194 | 0x00330200 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.77 |
.sdata | 0x00734000 | 0x00002FDF | 0x00003000 | 0x00330600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.24 |
.rsrc | 0x00738000 | 0x000003AC | 0x00000400 | 0x00333600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.79 |
.reloc | 0x0073A000 | 0x0000000C | 0x00000200 | 0x00333A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x00332168 | 0x00330568 | 0x00000000 |
c:\boot\nb-no\rcxf955.tmp | Dropped File | Binary |
Clean
|
...
|
»
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0073218E |
Size Of Code | 0x00330200 |
Size Of Initialized Data | 0x00003600 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-05-04 18:03 (UTC+2) |
Version Information (8)
»
ProductName | glfNgkEUdpujWV03q |
CompanyName | 9PUUUADpsFZXoV2zRKxkYR5Vit |
InternalName | AZz5dkPUHN.exe |
LegalCopyright | YdKEG94PAK |
Comments | fDjIlrlT8bmkDJ1JbhTBcy8c |
OriginalFilename | iTK6w.exe |
ProductVersion | 133.124.335.380 |
FileVersion | 780.76.774.518 |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00330194 | 0x00330200 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.77 |
.sdata | 0x00734000 | 0x00002FDF | 0x00003000 | 0x00330600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.24 |
.rsrc | 0x00738000 | 0x000003A8 | 0x00000400 | 0x00333600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.75 |
.reloc | 0x0073A000 | 0x0000000C | 0x00000200 | 0x00333A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x00332168 | 0x00330568 | 0x00000000 |
c:\recovery\d327d5c2-7147-11eb-9862-d731c5aaa7a9\rcxfef2.tmp | Dropped File | Binary |
Clean
|
...
|
»
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0073218E |
Size Of Code | 0x00330200 |
Size Of Initialized Data | 0x00003600 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2022-05-04 18:03 (UTC+2) |
Version Information (8)
»
ProductName | vdbPyp4G5OmHpkJCHF4ALJiXiyVp0 |
CompanyName | L4SkuZ7QeMNq |
InternalName | 6HTzv9KgaUrbf.exe |
LegalCopyright | qkA |
Comments | VQiC4n2K |
OriginalFilename | F1flbxxsQOcppjzsam33Uu.exe |
ProductVersion | 777.678.245.484 |
FileVersion | 297.482.140.204 |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00330194 | 0x00330200 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.77 |
.sdata | 0x00734000 | 0x00002FDF | 0x00003000 | 0x00330600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.24 |
.rsrc | 0x00738000 | 0x0000039C | 0x00000400 | 0x00333600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.79 |
.reloc | 0x0073A000 | 0x0000000C | 0x00000200 | 0x00333A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x00332168 | 0x00330568 | 0x00000000 |
C:\Recovery\d327d5c2-7147-11eb-9862-d731c5aaa7a9\cd707bb9628b4e | Dropped File | Text |
Clean
|
...
|
»
C:\MSOCache\All Users\{90160000-0044-0409-1000-0000000FF1CE}-C\b25e929d5fbf10 | Dropped File | Text |
Clean
|
...
|
»
C:\Users\Default\Desktop\b75386f1303e64 | Dropped File | Text |
Clean
|
...
|
»
C:\Users\kEecfMwgj\AppData\Local\Temp\\E969IshFWt.bat | Dropped File | Text |
Clean
|
...
|
»
C:\Recovery\d327d5c2-7147-11eb-9862-d731c5aaa7a9\da6ea209acf49b | Dropped File | Text |
Clean
|
...
|
»
C:\Users\kEecfMwgj\AppData\Local\Temp\BWSfIVCb9x | Dropped File | Text |
Clean
|
...
|
»
025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd | Extracted File | Image |
Clean
Known to be clean.
|
»
File Reputation Information
»
Verdict |
Clean
Known to be clean.
|