popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

PE Compile Time

2023-03-21 11:13:05

PE Imphash

0145d2c473bdbcd7b46a054bd6893ec4

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00018fdb 0x00019000 6.52407197696
.rdata 0x0001a000 0x0000538e 0x00005400 5.27214502561
.data 0x00020000 0x001351b8 0x00000600 5.03603060524
.rsrc 0x00156000 0x00002c70 0x00002e00 3.95858612909
.reloc 0x00159000 0x00001454 0x00001600 6.5634517231
.bss 0x0015b000 0x00001000 0x00000200 3.69857479531

Resources

Name Offset Size Language Sub-language File type
WM_DSP 0x00156070 0x00002c00 LANG_ENGLISH SUBLANG_ARABIC_QATAR PE32 executable (GUI) Intel 80386, for MS Windows

Imports

Library WINMM.dll:
0x41a340 waveInClose
0x41a344 waveInAddBuffer
0x41a348 waveInStart
0x41a34c waveInStop
0x41a350 waveInPrepareHeader
0x41a358 waveInOpen
Library webservices.dll:
Library bcrypt.dll:
0x41a3a8 BCryptSetProperty
0x41a3b0 BCryptDecrypt
Library KERNEL32.dll:
0x41a0b0 GetTickCount
0x41a0b4 HeapAlloc
0x41a0b8 GetProcessHeap
0x41a0bc GetCommandLineA
0x41a0c0 GetStartupInfoA
0x41a0c4 HeapFree
0x41a0c8 VirtualAlloc
0x41a0cc HeapReAlloc
0x41a0d0 VirtualQuery
0x41a0d4 LocalAlloc
0x41a0d8 LocalFree
0x41a0e0 TerminateThread
0x41a0e4 CreateThread
0x41a0e8 WriteProcessMemory
0x41a0ec GetCurrentProcess
0x41a0f0 OpenProcess
0x41a0f8 VirtualProtectEx
0x41a0fc VirtualAllocEx
0x41a100 CreateRemoteThread
0x41a104 GetModuleHandleW
0x41a108 IsWow64Process
0x41a10c WriteFile
0x41a110 WaitForSingleObject
0x41a114 CreateFileW
0x41a118 LoadLibraryW
0x41a11c GetLocalTime
0x41a120 GetCurrentThreadId
0x41a124 GetCurrentProcessId
0x41a128 ReadFile
0x41a12c FindFirstFileA
0x41a130 GetBinaryTypeW
0x41a134 FindNextFileA
0x41a138 lstrcpyW
0x41a13c CreateFileA
0x41a140 GlobalAlloc
0x41a14c GetFileSize
0x41a150 FreeLibrary
0x41a154 SetDllDirectoryW
0x41a158 GetFileSizeEx
0x41a160 CreatePipe
0x41a164 PeekNamedPipe
0x41a168 DuplicateHandle
0x41a16c SetEvent
0x41a170 CreateProcessW
0x41a174 CreateEventA
0x41a178 GetModuleFileNameW
0x41a17c LoadResource
0x41a180 FindResourceW
0x41a184 GetComputerNameW
0x41a18c LoadLibraryExW
0x41a190 FindFirstFileW
0x41a194 FindNextFileW
0x41a198 SetFilePointer
0x41a1a0 CopyFileW
0x41a1a4 GetDriveTypeW
0x41a1b8 CreateMutexA
0x41a1bc ReleaseMutex
0x41a1c0 TerminateProcess
0x41a1cc Process32NextW
0x41a1d0 Process32FirstW
0x41a1d4 DeleteFileW
0x41a1d8 SizeofResource
0x41a1dc VirtualProtect
0x41a1e0 GetSystemDirectoryW
0x41a1e4 LockResource
0x41a1ec GlobalLock
0x41a1f0 GlobalUnlock
0x41a1f4 Process32First
0x41a1f8 Process32Next
0x41a1fc WideCharToMultiByte
0x41a200 lstrcpyA
0x41a204 Sleep
0x41a208 MultiByteToWideChar
0x41a20c lstrcatA
0x41a210 lstrcmpA
0x41a214 lstrlenA
0x41a21c lstrlenW
0x41a220 lstrcmpW
0x41a224 CreateProcessA
0x41a228 WinExec
0x41a22c ExitProcess
0x41a230 GetProcAddress
0x41a234 CloseHandle
0x41a238 lstrcatW
0x41a23c LoadLibraryA
0x41a240 GetLastError
0x41a248 GetModuleHandleA
0x41a24c GetTempPathW
0x41a250 VirtualFree
0x41a254 SetLastError
0x41a258 GetModuleFileNameA
0x41a25c CreateDirectoryW
0x41a260 GetFullPathNameA
Library USER32.dll:
0x41a2c8 GetWindowTextW
0x41a2cc GetLastInputInfo
0x41a2d0 wsprintfW
0x41a2d4 CharLowerW
0x41a2d8 PostQuitMessage
0x41a2dc ToUnicode
0x41a2e0 TranslateMessage
0x41a2e8 DefWindowProcA
0x41a2ec MapVirtualKeyA
0x41a2f0 GetRawInputData
0x41a2f4 RegisterClassW
0x41a2f8 GetAsyncKeyState
0x41a2fc GetKeyboardState
0x41a300 CreateWindowExW
0x41a304 SetClipboardViewer
0x41a308 DispatchMessageA
0x41a30c MapVirtualKeyW
0x41a310 GetMessageA
0x41a314 GetKeyState
0x41a318 ReleaseDC
0x41a31c GetSystemMetrics
0x41a320 GetForegroundWindow
0x41a324 OpenClipboard
0x41a328 CloseClipboard
0x41a32c GetClipboardData
0x41a330 GetDC
Library ADVAPI32.dll:
0x41a000 RegQueryValueExW
0x41a010 OpenProcessToken
0x41a014 FreeSid
0x41a018 LookupAccountSidW
0x41a01c GetTokenInformation
0x41a020 RegQueryInfoKeyA
0x41a024 RegOpenKeyW
0x41a028 CloseServiceHandle
0x41a030 RegDeleteKeyA
0x41a038 GetUserNameW
0x41a03c RegDeleteKeyW
0x41a040 RegCreateKeyExW
0x41a044 RegSetValueExA
0x41a048 RegOpenKeyExW
0x41a04c RegOpenKeyExA
0x41a050 RegEnumKeyExW
0x41a054 RegQueryValueExA
0x41a058 RegQueryInfoKeyW
0x41a05c RegCloseKey
0x41a060 OpenServiceW
0x41a068 QueryServiceConfigW
0x41a070 StartServiceW
0x41a074 RegSetValueExW
0x41a078 RegCreateKeyExA
0x41a07c OpenSCManagerW
0x41a080 RegDeleteValueW
Library SHELL32.dll:
0x41a284 SHFileOperationW
0x41a290 SHGetFolderPathW
0x41a294 ShellExecuteW
0x41a298 None
Library urlmon.dll:
0x41a3f4 URLDownloadToFileW
Library gdiplus.dll:
0x41a3b8 GdiplusStartup
0x41a3c0 GdipSaveImageToFile
0x41a3c4 GdipDisposeImage
0x41a3d0 GdiplusShutdown
Library WS2_32.dll:
0x41a360 WSAConnect
0x41a364 WSAStartup
0x41a368 shutdown
0x41a36c closesocket
0x41a370 WSACleanup
0x41a374 connect
0x41a378 InetNtopW
0x41a37c gethostbyname
0x41a380 send
0x41a384 socket
0x41a388 recv
0x41a38c htons
0x41a390 freeaddrinfo
0x41a394 setsockopt
0x41a398 getaddrinfo
0x41a39c inet_addr
Library ole32.dll:
0x41a3dc CoInitialize
0x41a3e0 CoCreateInstance
0x41a3e4 CoTaskMemFree
0x41a3e8 CoUninitialize
Library SHLWAPI.dll:
0x41a2a4 AssocQueryStringW
0x41a2a8 StrStrW
0x41a2ac PathRemoveFileSpecA
0x41a2b0 PathCombineA
0x41a2b4 PathFindFileNameW
0x41a2b8 PathFindExtensionW
0x41a2bc PathFileExistsW
0x41a2c0 StrStrA
Library NETAPI32.dll:
0x41a268 NetUserAdd
0x41a26c NetApiBufferFree
0x41a270 NetUserGetInfo
Library OLEAUT32.dll:
0x41a27c VariantInit
Library CRYPT32.dll:
0x41a090 CryptUnprotectData
Library WININET.dll:
Library GDI32.dll:
0x41a098 CreateCompatibleDC
0x41a09c SelectObject
0x41a0a4 BitBlt
0x41a0a8 DeleteObject
!This program cannot be run in DOS mode.
97bnT7D
97bnW7@
97RichE
`.rdata
@.data
@.reloc
9p<tah
QQSVWh
?vMj@_+
PWWWWQ
\$,PSSS
PPPWPPV
WWWWWWWWWW
VVVVVV
D$0PSh
D$0PWh
A$data
D$HVWP
A$data
QQSVWj
SSSSPWh
SSSSPWh
:MjZXu
SSSSPVh
QQWSPVQh
SSSSPVh
QQWSPVQh
PVVVVV
SSSSSS
u2Vj hl
t VVSPj
t=hPQU
D$(uBj
*WWWWWWWj
+D$@=@w
t$(WVPP
PSSSSSSh
RWj h@
tG;HtsB
QQSVWQ
TSVjD3
RSSSSSSQ
PWVWWWSh
PWWWWWW
QQSVWj
QQSVWh
TSVWjD^V
PPPPPPSP
QQVPQQ
127.0.0.2
shutdown.exe /r /t 00
shutdown.exe /r /f /t 00
RtlAdjustPrivilege
ntdll.dll
NtRaiseHardError
cmd.exe /C ping 1.2.3.4 -n 4 -w 1000 > Nul & cmd.exe /C
\cookies.sqlite
\Microsoft\Edge\User Data\Default\cookies
\Microsoft\Windows\INetCookies
\Microsoft\Windows\Cookies
abcdefghijklmnopqrstuvwxyzABCDEFGHIJK...
Ws2_32.dll
connect
nevergonnagiveyouup
USER32.DLL
MessageBoxA
Assert
An assertion condition failed
PureCall
A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application
microsoft.com
GET http://microsoft.com/ HTTP/1.1
Host: microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
XXXXXX
\System32\cmd.exe
LdrGetProcedureAddress
RtlNtStatusToDosError
RtlSetLastWin32Error
NtAllocateVirtualMemory
NtProtectVirtualMemory
NtWriteVirtualMemory
LdrLoadDll
RtlCreateUserThread
GetRawInputData
ToUnicode
MapVirtualKeyA
\Google\Cache\
select signon_realm, origin_url, username_value, password_value from wow_logins
select signon_realm, origin_url, username_value, password_value from logins
select host_key, path, name, encrypted_value, expires_utc, is_httponly, samesite, is_secure from cookies
SELECT url, title, visit_count, last_visit_time FROM urls
\places.sqlite
SELECT url, title, visit_count, last_visit_date FROM moz_places
SELECT host, path, name, value, expiry, isHttpOnly, isSecure FROM moz_cookies
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
NSSBase64_DecodeBuffer
PK11_CheckUserPassword
NSS_Shutdown
PK11_FreeSlot
PR_GetError
vaultcli.dll
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItem
VaultFree
encryptedUsername
hostname
encryptedPassword
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_column_text
sqlite3_column_int
sqlite3_column_int64
sqlite3_column_count
sqlite3_data_count
sqlite3_step
sqlite3_exec
sqlite3_open_v2
sqlite3_column_blob
sqlite3_column_type
sqlite3_column_bytes
sqlite3_close_v2
sqlite3_finalize
Storage
Accounts\Account.rec0
software\Aerofox\FoxmailPreview
Executable
UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
127.0.0.1
\Google\Media\
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
RtlGetVersion
K.$RtlCreateUnicodeStringFromAsciiz
RtlInitAnsiString
IsWow64Process
kernel32
cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
Software\Classes\Folder\shell\open\command
DelegateExecute
cmd.exe /C C:\Windows\System32\sdclt.exe
' -DestinationPath '
' -Force"
-DestinationPath '
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
explorer.exe
powershell Add-MpPreference -ExclusionPath
SHCORE.DLL
SetProcessDpiAwareness
Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
MaxConnectionsPerServer
BQAaR$43!QAFff
?lst@@YAXHJ@Z
gqw|:1
.text$di
.text$mn
.text$yd
.idata$5
.rdata
.rdata$voltmd
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
.CRT$XCA
.CRT$XCU
.CRT$XCZ
.rsrc$01
.rsrc$02
waveInAddBuffer
waveInStart
waveInOpen
waveInUnprepareHeader
waveInPrepareHeader
waveInStop
waveInClose
WINMM.dll
WsFileTimeToDateTime
webservices.dll
BCryptDecrypt
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptGenerateSymmetricKey
bcrypt.dll
CreateDirectoryW
GetModuleFileNameA
SetLastError
VirtualFree
GetTempPathW
GetModuleHandleA
GetPrivateProfileStringW
GetLastError
LoadLibraryA
lstrcatW
CloseHandle
GetProcAddress
ExitProcess
WinExec
CreateProcessA
lstrcmpW
lstrlenW
ExpandEnvironmentStringsW
lstrlenA
lstrcmpA
lstrcatA
MultiByteToWideChar
lstrcpyA
WideCharToMultiByte
lstrcpyW
GetTickCount
HeapAlloc
GetProcessHeap
GetCommandLineA
GetStartupInfoA
HeapFree
VirtualAlloc
HeapReAlloc
VirtualQuery
LocalAlloc
LocalFree
SystemTimeToFileTime
TerminateThread
CreateThread
WriteProcessMemory
GetCurrentProcess
OpenProcess
GetWindowsDirectoryA
VirtualProtectEx
VirtualAllocEx
CreateRemoteThread
GetModuleHandleW
IsWow64Process
WriteFile
WaitForSingleObject
CreateFileW
LoadLibraryW
GetLocalTime
GetCurrentThreadId
GetCurrentProcessId
ReadFile
FindFirstFileA
GetBinaryTypeW
FindNextFileA
GetFullPathNameA
CreateFileA
GlobalAlloc
GetCurrentDirectoryW
SetCurrentDirectoryW
GetFileSize
FreeLibrary
SetDllDirectoryW
GetFileSizeEx
WaitForMultipleObjects
CreatePipe
PeekNamedPipe
DuplicateHandle
SetEvent
CreateProcessW
CreateEventA
GetModuleFileNameW
LoadResource
FindResourceW
GetComputerNameW
GlobalMemoryStatusEx
LoadLibraryExW
FindFirstFileW
FindNextFileW
SetFilePointer
GetLogicalDriveStringsW
CopyFileW
GetDriveTypeW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
CreateMutexA
ReleaseMutex
TerminateProcess
K32GetModuleFileNameExW
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
DeleteFileW
SizeofResource
VirtualProtect
GetSystemDirectoryW
LockResource
GetWindowsDirectoryW
GlobalLock
GlobalUnlock
Process32First
Process32Next
KERNEL32.dll
CharLowerW
wsprintfW
GetWindowTextW
GetForegroundWindow
GetLastInputInfo
PostQuitMessage
ToUnicode
TranslateMessage
RegisterRawInputDevices
DefWindowProcA
MapVirtualKeyA
GetRawInputData
RegisterClassW
GetAsyncKeyState
GetKeyboardState
CreateWindowExW
SetClipboardViewer
DispatchMessageA
MapVirtualKeyW
GetMessageA
GetKeyState
ReleaseDC
GetSystemMetrics
GetClipboardData
CloseClipboard
OpenClipboard
USER32.dll
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyExA
RegEnumKeyExW
RegQueryValueExA
RegQueryInfoKeyW
RegCloseKey
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
EnumServicesStatusExW
StartServiceW
RegSetValueExW
RegCreateKeyExA
OpenSCManagerW
CloseServiceHandle
RegOpenKeyW
RegQueryInfoKeyA
GetTokenInformation
LookupAccountSidW
FreeSid
OpenProcessToken
AllocateAndInitializeSid
AdjustTokenPrivileges
LookupPrivilegeValueW
RegDeleteValueW
RegSetValueExA
RegCreateKeyExW
RegDeleteKeyW
GetUserNameW
InitializeSecurityDescriptor
RegDeleteKeyA
SetSecurityDescriptorDacl
ADVAPI32.dll
ShellExecuteW
SHGetFolderPathW
SHCreateDirectoryExW
SHGetSpecialFolderPathW
SHFileOperationW
SHGetKnownFolderPath
SHELL32.dll
URLDownloadToFileW
urlmon.dll
GdipSaveImageToFile
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdiplusShutdown
GdiplusStartup
GdipGetImageEncodersSize
GdipGetImageEncoders
gdiplus.dll
getaddrinfo
freeaddrinfo
WSAConnect
InetNtopW
WS2_32.dll
CreateStreamOnHGlobal
CoInitialize
CoCreateInstance
CoInitializeSecurity
CoUninitialize
CoTaskMemFree
ole32.dll
PathFindExtensionW
StrStrA
PathFindFileNameW
PathCombineA
PathRemoveFileSpecA
StrStrW
AssocQueryStringW
PathFileExistsW
SHLWAPI.dll
NetLocalGroupAddMembers
NetUserAdd
NetApiBufferFree
NetUserGetInfo
NETAPI32.dll
OLEAUT32.dll
CryptStringToBinaryA
CryptUnprotectData
CryptStringToBinaryW
CRYPT32.dll
InternetTimeToSystemTimeA
WININET.dll
DeleteObject
CreateCompatibleDC
SelectObject
CreateCompatibleBitmap
BitBlt
GDI32.dll
PPPPPPPS
PPPPPPPS
PPPPPPPS
!This program cannot be run in DOS mode.
`.rdata
@.data
u*hh;@
VWh@"@
RtlGetCurrentPeb
RtlEnterCriticalSection
RtlLeaveCriticalSection
RtlInitUnicodeString
RtlFillMemory
NtAllocateVirtualMemory
LdrEnumerateLoadedModules
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<servicing>
<package action="install">
<assemblyIdentity name="Package_1_for_KB929761" version="6.0.1.1" language="neutral" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35"/>
<source location="%configsetroot%\Windows6.0-KB929761-x86.CAB" />
</package>
</servicing>
</unattend>
.text$mn
.idata$5
.00cfg
.rdata
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
.rsrc$01
.rsrc$02
SizeofResource
WriteFile
GetModuleFileNameW
GetTempPathW
WaitForSingleObject
CreateFileW
GetSystemDirectoryW
lstrcatW
LockResource
CloseHandle
LoadLibraryW
LoadResource
FindResourceW
GetWindowsDirectoryW
GetProcAddress
ExitProcess
KERNEL32.dll
MessageBoxW
USER32.dll
SHCreateItemFromParsingName
ShellExecuteExW
SHELL32.dll
CoInitialize
CoUninitialize
CoCreateInstance
CoGetObject
ole32.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
!This program cannot be run in DOS mode.
/Rich3
`.rdata
@.data
.reloc
.text$mn
.idata$5
.00cfg
.rdata
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
GetStartupInfoW
ExpandEnvironmentStringsW
TerminateProcess
OpenProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
CloseHandle
ExitProcess
CreateProcessW
lstrcmpW
KERNEL32.dll
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
PathFindFileNameW
SHLWAPI.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
IsProcessorFeaturePresent
1)1E1U1[1n1
2(212<2C2c2i2o2u2{2
3.373F3
X0`0d0,181
0#0-030C0c0j0r0y0
33%3/3>3M3\3k3v3|3
4!4&424<4G4M4T4[4b4i4o4v4}4
5K5R5a5
;6;_;w;
<1<L<W<d<
?1?I?Z?s?
0#0)0/0:0?0F0O0u0
1$1=1x1
192I2Q2
243b3x3
4 5(5}5
6G6O6U6
6=6R6f6~6
8$8]8t8
;,;3;z;
#0*070
1J2Q2^2e2
?*?>?I?P?]?
51686C6I6Y6h6n6s6
617:7D7a7
818W8g8l8r8w8~8
;$<+<Q<X<r<
<4=Q=n=
?*?G?q?
3a7i7n7u7
88$8+81888B8N8Y8
889?9I9P9Z9a9
<&=?=r=
)6n9u9
7)7J7b7u7}7
3;3D3[3a3
45*5?5P5V5
7"7(7.747:7@7G7T7Y7e7j7w7|7
9D9I9s9
:3:L:R:\:q:{:
<(<0<A<{<
?9?>?Z?`?t?}?
00%0*030;0@0I0O0\0f0s0x0
1=1Z1g1
2;2G2N2h2x2
3(3>3D3b3g3p3x3}3
3#4R4Y4}4
5/5D5M5S5Y5c5i5o5u5{5
6&6,616;6A6I6W6^6s6y6
6K7Q7\7
8$8/858;8A8I8O8U8[8c8{8
:#:P:h:
:1;D;O;Y;_;h;q;z;
<<$<)<6<?<M<V<k<x<
<2=8=C=z=
>7>=>E>M>]>c>i>
??&?O?
5#5<5Z5l5
7"7:7Q7m7
<!<F<_<v<
>5>L>k>}>
80K0g0
031C1Y1~1
3 343y3
4#4<4N4a4x4
7.7E7_7r7
7$8=8J8
=4=9=C=M=R=\={=
>4>d>n>s>}>
>,?<?I?N?Y?d?i?t?
00$010<0A0L0W0\0g0r0w0
2+2D2X2a2j2
7"8D8h8x8
989P9a9
:1:G:]:s:
:];f;k;
<Q=a=w=
161I1k1l2
4-4F4_4d4q4
575I5[5o5
66H6`6
7,9H9c9
;!;[;b;p;
0!1(1f1~1
5(585E5\5
7L8Y8f8k8{8
9+9;9W9
;*;8;^;
2&2<2J2g2
2-3D3d3
6"7,7A7
7)878H8r8
:!:':.:4:::@:F:g:l:q:w:}:
;/;=;G;L;^;d;o;
<&<@<^<x<
<'=E=j=u=
>">'>F>p>w>
? ?B?S?b?x?
4)4T4|4
5*5B5N5X5f5w5
5/666L6\6}6
9O:r:x:
:(;5;B;O;\;i;
010T0]0r0
3@3F3T3_3v3
9&9:9S9l9
:!:*:3:@:M:h:{:
; ;.;9;Q;V;
< =1=n=
>'?m?v?
0-0^0d0w0~0
4 4&464N4\4s4
5)5C5j5
919A9J9Q9
;L;\;e;l;
202W2e2
<<3<8<@<G<
<)=X=|=
> >2>X>h>q>
4%4N4c4i4y4
7b8x8?9L9i9n9u9
:N:c:}:
;);=;j;u;
=%=,=c=n={=
>.>J>Q>^>w>
191P1W1
223I3b3n3
5A5N5u5
66_6f6
72:(?1?7?X?
020;0A0b0
2 2H2Q2W2z2
323A3L4z4
4#5,525\5
0#0*0:0f0m0}0
0E1L1Y1
2?3D3J3[3|3
3M4R4`4p4
5(6-6:6
7!7&7+70757:7?7D7I7N7S7X7]7b7g7
868U8t8
9$93999H9c9m9|9
:#:>:H:S:Y:e:
?;???E?O?Y?c?m?w?
5$5(5,5054585<5@5D5
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
T2X2\2
2094989<9@9D9H9L9P9
0 0$0(0,0004080`1d1h5
\Microsoft Vision\
\Documents:ApplicationData
Local\Google\Chrome\User Data\Default\Network\Cookies
\Mozilla\Firefox\
profiles.ini
Profile
ntdll.dll
dUser32.dll
ExplorerIdentifier
%02d-%02d-%02d_%02d.%02d.%02d
Unknown
#Window Name:
-Clipboard Grabbed-
Profile %d
Default
\Google\Chrome\User Data\Local State
\Google\Chrome\User Data\Default\Network\Cookies
\Microsoft\Edge\User Data\Local State
\Microsoft\Edge\User Data\Default\Network\Cookies
\Google\Chrome\User Data\Default\History
\Google\Chrome\User Data\Default\Login Data
\Google\Chrome Beta\User Data\Local State
\Google\Chrome Beta\User Data\Default\Login Data
\Epic Privacy Browser\User Data\Local State
\Epic Privacy Browser\User Data\Default\Login Data
\Microsoft\Edge\User Data\Default\Login Data
\UCBrowser\User Data_i18n\Local State
\UCBrowser\User Data_i18n\Default\UC Login Data.17
\Tencent\QQBrowser\User Data\Local State
\Tencent\QQBrowser\User Data\Default\Login Data
\Opera Software\Opera Stable\Local State
\Opera Software\Opera Stable\Login Data
\Blisk\User Data\Local State
\Blisk\User Data\Default\Login Data
\Chromium\User Data\Local State
\Chromium\User Data\Default\Login Data
\BraveSoftware\Brave-Browser\User Data\Local State
\BraveSoftware\Brave-Browser\User Data\Default\Login Data
\Vivaldi\User Data\Local State
\Vivaldi\User Data\Default\Login Data
\Comodo\Dragon\User Data\Local State
\Comodo\Dragon\User Data\Default\Login Data
\Torch\User Data\Local State
\Torch\User Data\Default\Login Data
\Slimjet\User Data\Local State
\Slimjet\User Data\Default\Login Data
\CentBrowser\User Data\Local State
\CentBrowser\User Data\Default\Login Data
Software\Microsoft\Windows\CurrentVersion\App Paths\
softokn3.dll
msvcp140.dll
mozglue.dll
vcruntime140.dll
freebl3.dll
nss3.dll
msvcr120.dll
msvcp120.dll
Internet Explorer
firefox.exe
\firefox.exe
\logins.json
thunderbird.exe
\Thunderbird\
Could not decrypt
Account Name
POP3 Server
POP3 User
SMTP Server
POP3 Password
SMTP Password
HTTP Password
IMAP Password
Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
ChainingModeGCM
ChainingMode
"encrypted_key":"
Description
Source
FriendlyName
Source
Grabber
Grabber
TermService
%ProgramFiles%
%windir%\System32
%ProgramW6432%
\Microsoft DN1
\rfxvmt.dll
\rdpwrap.ini
\sqlmap.dll
SeDebugPrivilege
%SystemRoot%\System32\termsrv.dll
SYSTEM\CurrentControlSet\Services\TermService\Parameters
ServiceDll
SYSTEM\CurrentControlSet\Services\TermService
ImagePath
svchost.exe
svchost.exe -k
CertPropSvc
SessionEnv
ServicesActive
SYSTEM\CurrentControlSet\Control\Terminal Server
SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns
SYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip Redirector
SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VC
fDenyTSConnections
EnableConcurrentSessions
AllowMultipleTSSessions
RDPClip
A\cmd.exe
\WindowsPowerShell\v1.0\powershell.exe
image/jpeg
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\Cryptography
MachineGuid
root\CIMV2
SELECT Name FROM Win32_VideoController
Software\Microsoft\Windows\CurrentVersion\Explorer\
InitWindows
Software\Microsoft\Windows\CurrentVersion\Run\
:Zone.Identifier
\programs.bat
for /F "usebackq tokens=*" %%A in ("
:start
") do %%A
wmic process call create '"
SOFTWARE\_rptls
Install
\System32\cmd.exe
WM_DSP
e\sdclt.exe
powerShell.exe -windowstyle hidden -Command "Compress-Archive -Path '
@send.db
WM_DSP
ntdll.dll
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
explorer.exe
\explorer.exe
WM_DISP
dismcore.dll
ellocnak.xml
\pkgmgr.exe
/n:%temp%\ellocnak.xml
Hey I'm Admin
WM_DISP
SOFTWARE\_rptls
Install
%systemroot%\system32\
Antivirus Signature
Bkav W32.AIDetectMalware
Lionic Clean
Elastic Windows.Trojan.AveMaria
MicroWorld-eScan DeepScan:Generic.Malware.SFlg.194148F5
ClamAV Win.Downloader.Powershell-9856919-0
FireEye Generic.mg.e30b956aebb229fa
CAT-QuickHeal Clean
McAfee PWS-FDNF!E30B956AEBB2
Malwarebytes Generic.Malware.AI.DDS
VIPRE DeepScan:Generic.Malware.SFlg.194148F5
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0054d10e1 )
BitDefender DeepScan:Generic.Malware.SFlg.194148F5
K7GW Trojan ( 0054d10e1 )
Cybereason malicious.aebb22
Baidu Clean
VirIT Trojan.Win32.Genus.QJS
Cyren W32/Antiav.INDT-0919
Symantec Infostealer
tehtris Clean
ESET-NOD32 a variant of Win32/Warzone.A
APEX Malicious
Paloalto Clean
Cynet Malicious (score: 100)
Kaspersky Trojan.Win32.Agentb.jiad
Alibaba Clean
NANO-Antivirus Trojan.Win32.AntiAV.fljpfv
ViRobot Clean
Rising Trojan.Guildma!8.115A7 (TFE:4:Y5Zf9EMgZjH)
Sophos Mal/EncPk-MP
F-Secure Trojan.TR/Redcap.ghjpt
DrWeb Trojan.Uacbypass.28
Zillya Trojan.Agent.Win32.3406532
TrendMicro TrojanSpy.Win32.MOCRT.SM
McAfee-GW-Edition BehavesLike.Win32.Downloader.ch
Trapmine malicious.high.ml.score
CMC Clean
Emsisoft DeepScan:Generic.Malware.SFlg.194148F5 (B)
SentinelOne Static AI - Malicious PE
GData Win32.Trojan.PSE.38UUO1
Jiangmin Clean
Webroot Clean
Avira TR/Redcap.ghjpt
MAX malware (ai score=82)
Antiy-AVL Trojan[APT]/Win32.Confucius
Gridinsoft Clean
Xcitium Clean
Arcabit DeepScan:Generic.Malware.SFlg.194148F5
SUPERAntiSpyware Clean
ZoneAlarm Trojan.Win32.Agentb.jiad
Microsoft Trojan:Win32/Guildma.psyA!MTB
Google Detected
AhnLab-V3 Trojan/Win32.AveMaria.R263895
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.36250.iyW@ayAdNKci
ALYac DeepScan:Generic.Malware.SFlg.194148F5
TACHYON Clean
DeepInstinct MALICIOUS
VBA32 BScope.TrojanSpy.AveMaria
Cylance unsafe
Panda Trj/Genetic.gen
Zoner Trojan.Win32.74962
TrendMicro-HouseCall TrojanSpy.Win32.MOCRT.SM
Tencent Malware.Win32.Gencirc.10bebf78
Yandex Clean
Ikarus Trojan.Win32.Warzone
MaxSecure Trojan.Malware.204039776.susgen
Fortinet Riskware/Kryptik.FCOG
AVG Win32:Malware-gen
Avast Win32:Malware-gen
CrowdStrike win/malicious_confidence_100% (W)
No IRMA results available.