WNetWatcher.exe
This report is generated from a file or URL submitted to this webservice on March 22nd 2019 07:28:56 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Spyware
-
Contains ability to open the clipboard
POSTs files to a webserver - Fingerprint
- Reads the active computer name
- Evasive
- Possibly tries to implement anti-virtualization techniques
- Spreading
- Detected a large number of ARP broadcast requests (network device lookup)
- Network Behavior
- Contacts 29 domains and 5 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/70 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Network Related
-
Detected a large number of ARP broadcast requests (network device lookup)
- details
- Attempt to find devices in networks: "192.168.240.0/25, 192.168.240.128/26, 192.168.240.192/27, 192.168.240.224/28, 192.168.240.240/29, 192.168.240.248/30, 192.168.240.252/31, 192.168.240.254/32"
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1016 (Show technique in the MITRE ATT&CK™ matrix)
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "52.26.103.165": ...
File SHA256: 2978e86f8dfa438d02d2ac04a03bf99a1a824923a6c8a10380ede874967c9824 (AV positives: 11/62 scanned on 03/02/2019 01:18:26)
File SHA256: bce82ec9025eb86b4b9fccd24b3a7d3a44d20d7683fce56af164c1bdeb9f3000 (AV positives: 17/71 scanned on 02/19/2019 11:14:08)
File SHA256: fd05ea9511c7500eabae03015ce2a9d35e7762176e4012a1fc0b1c5947c9e8dd (AV positives: 21/71 scanned on 02/15/2019 05:52:27)
File SHA256: fda45039e75e0fad0641a37ae45b4809970db31263b5e22cfd82622d279a95de (AV positives: 21/69 scanned on 02/15/2019 05:31:51)
File SHA256: a8d3db2155c6668073793c486ac273710f977770b12a0293a2a6eab0994e1f8b (AV positives: 23/71 scanned on 02/15/2019 04:01:05)
Found malicious artifacts related to "99.84.254.97": ...
URL: http://apps.sfcdn.org/apk/com.applidium.nickelodeon.bce9d3577aa62447dfdf5e560c2b07df.apk (AV positives: 4/69 scanned on 03/21/2019 13:12:35)
URL: http://apps.sfcdn.org/apk/com.wyt.iexuetang.tv.xxas.651633acfaca2b4c5d6a00b7912cfffb.apk (AV positives: 4/69 scanned on 03/21/2019 13:10:54)
URL: http://apps.sfcdn.org/apk/com.shafa.launcher.62cd07e6111407b7371be6c23e2291c3.apk (AV positives: 4/69 scanned on 03/21/2019 13:10:03)
URL: http://apps.sfcdn.org/apk/com.ftaro.kingwar.shafa.d2673f0483a7d379a2b8f3a86e1194ac.apk (AV positives: 6/66 scanned on 03/21/2019 03:08:51)
URL: http://apps.sfcdn.org/apk/cn.anyradio.pad.1373509488074.apk (AV positives: 6/66 scanned on 03/21/2019 03:09:08)
File SHA256: f1a97c433f29d7b1aa47840fd1ecdab57c7d1a6b927823d0e4a174524ba658b2 (AV positives: 2/57 scanned on 03/21/2019 03:09:14)
File SHA256: a3052d59930a9eba9774017b49e55b2f4e9b3cfa02984f2be09b7e52c99fa2e2 (AV positives: 2/57 scanned on 03/20/2019 14:28:54)
File SHA256: da581f0d8c4a92d8a87bace76b7c57a015a338f5466e6f40eee6acdcafa79081 (AV positives: 1/56 scanned on 03/19/2019 15:09:32)
File SHA256: d395aea43ba897ccf6a9bbe9a5acac7d69b683cdf013457ec0a51eceee193c45 (AV positives: 16/61 scanned on 02/28/2019 05:41:54)
File SHA256: 35e15ef3ac2bcea68a2e892e37c7a7fa50d869a0c95091593164227c92ba3279 (AV positives: 1/71 scanned on 02/17/2019 13:16:14)
Found malicious artifacts related to "172.217.9.35": ...
File SHA256: 0a59956577236d3596ed375b48ca80b5aab938f6215da5d9e3f2c9f732b23828 (AV positives: 48/66 scanned on 03/09/2019 22:57:06)
File SHA256: b2e0cf6a6dfdf8dc8d08fe86d788ec8fbff5805e842f768d5dbc16b64241588f (AV positives: 56/71 scanned on 02/10/2019 23:44:12)
File SHA256: 746b57ba5e2f39ad5607cc648da4ec35d69b24bb9257d369a7bc8fe2ead33633 (AV positives: 54/71 scanned on 01/26/2019 23:15:26)
File SHA256: 735d83338a4559460398ed571ea18bfe1463af83944b5bc074c54a93dcf48b26 (Date: 12/14/2017 02:16:26)
File SHA256: f75f7cd6543dcd3161c2a98fabc9f358341d986c6d92b29bf16dabb22ec50b21 (Date: 11/26/2017 10:19:41)
File SHA256: 1081b2706f6be81ff301339868956b5862d6109884f66f899a3e5791e1ec324e (Date: 11/26/2017 10:08:18)
File SHA256: 9f34186a32765460e56c32a5fb11d7968ddf194f634b84871544f4dad0edaf2f (Date: 11/08/2017 07:01:57)
File SHA256: 239ea1d6aec172fed5f6bc6179dd79a452f7769027624ed56fc23110179bbb6d (Date: 11/06/2017 19:00:13)
Found malicious artifacts related to "54.187.176.55": ...
URL: http://dfh.nexttagupdate.com/handle?fl=http://www.datafilehost.com/get.php?file=f516d232&m3&fs=11.04MB&d=game-pc-mustapha(allfreepcgamesandsoftwares.blogspot.com).rar (AV positives: 5/68 scanned on 10/07/2018 17:21:55)
URL: http://dfh.nexttagupdate.com/handle?fl=http%3A%2F%2Fwww.datafilehost.com%2Fget.php%3Ffile%3Df11baea8%26m3&fs=36.29+MB&d=north20.rar (AV positives: 5/68 scanned on 10/07/2018 17:05:11)
URL: http://dfh.nexttagupdate.com/handle?fl=www.datafilehost.com/get.php?file=5404fb37&m3&fs=1.51mb&d=facebookhackerprobytekgyd.com.apk (AV positives: 5/68 scanned on 10/07/2018 16:28:40)
URL: http://dfh.nexttagupdate.com/handle?fl=http%3A%2F%2Fwww.datafilehost.com%2Fget.php%3Ffile%3Dee34f157%26m3&fs=2.29+MB&d=FreeStore.ver.1.3.build.4[1].apk (AV positives: 5/68 scanned on 10/07/2018 16:26:13)
URL: http://dfh.nexttagupdate.com/handle?fl=http://www.datafilehost.com/get.php?file=5404fb37&m3&fs=1.51%20MB&d=FacebookHackerPro%20By%20Tekgyd.com.apk (AV positives: 5/68 scanned on 10/06/2018 04:34:51)
File SHA256: e748e865ad88a768d5cd928f03186cc3db95cbf7f0eaf577008a2927d05287a8 (AV positives: 34/71 scanned on 02/16/2019 04:39:12)
File SHA256: fa9db92d0a0920ca81cd72deb2d23bf5f68796c053119163d217af2430530ee1 (AV positives: 21/72 scanned on 02/15/2019 05:32:13)
File SHA256: dd6f94a9002bcfa2c3dba1159c9a746291ae21d165df08175fe7bd9a04b37b0c (AV positives: 21/71 scanned on 02/15/2019 04:36:19)
File SHA256: e7e36bb18453b48fcafb050627b3ae66ca75818d3bf4c46567cc0c1e05e7ff03 (AV positives: 21/71 scanned on 02/15/2019 04:29:07)
File SHA256: a132f638e31c48510f9f6a45f7fc9c4df3be1e3c3cc66d92e60e548df63f4d3e (AV positives: 22/70 scanned on 02/15/2019 02:55:58) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "52.26.103.165": ...
File SHA256: 2978e86f8dfa438d02d2ac04a03bf99a1a824923a6c8a10380ede874967c9824 (AV positives: 11/62 scanned on 03/02/2019 01:18:26)
File SHA256: bce82ec9025eb86b4b9fccd24b3a7d3a44d20d7683fce56af164c1bdeb9f3000 (AV positives: 17/71 scanned on 02/19/2019 11:14:08)
File SHA256: fd05ea9511c7500eabae03015ce2a9d35e7762176e4012a1fc0b1c5947c9e8dd (AV positives: 21/71 scanned on 02/15/2019 05:52:27)
File SHA256: fda45039e75e0fad0641a37ae45b4809970db31263b5e22cfd82622d279a95de (AV positives: 21/69 scanned on 02/15/2019 05:31:51)
File SHA256: a8d3db2155c6668073793c486ac273710f977770b12a0293a2a6eab0994e1f8b (AV positives: 23/71 scanned on 02/15/2019 04:01:05)
Found malicious artifacts related to "99.84.254.97": ...
URL: http://apps.sfcdn.org/apk/com.applidium.nickelodeon.bce9d3577aa62447dfdf5e560c2b07df.apk (AV positives: 4/69 scanned on 03/21/2019 13:12:35)
URL: http://apps.sfcdn.org/apk/com.wyt.iexuetang.tv.xxas.651633acfaca2b4c5d6a00b7912cfffb.apk (AV positives: 4/69 scanned on 03/21/2019 13:10:54)
URL: http://apps.sfcdn.org/apk/com.shafa.launcher.62cd07e6111407b7371be6c23e2291c3.apk (AV positives: 4/69 scanned on 03/21/2019 13:10:03)
URL: http://apps.sfcdn.org/apk/com.ftaro.kingwar.shafa.d2673f0483a7d379a2b8f3a86e1194ac.apk (AV positives: 6/66 scanned on 03/21/2019 03:08:51)
URL: http://apps.sfcdn.org/apk/cn.anyradio.pad.1373509488074.apk (AV positives: 6/66 scanned on 03/21/2019 03:09:08)
File SHA256: f1a97c433f29d7b1aa47840fd1ecdab57c7d1a6b927823d0e4a174524ba658b2 (AV positives: 2/57 scanned on 03/21/2019 03:09:14)
File SHA256: a3052d59930a9eba9774017b49e55b2f4e9b3cfa02984f2be09b7e52c99fa2e2 (AV positives: 2/57 scanned on 03/20/2019 14:28:54)
File SHA256: da581f0d8c4a92d8a87bace76b7c57a015a338f5466e6f40eee6acdcafa79081 (AV positives: 1/56 scanned on 03/19/2019 15:09:32)
File SHA256: d395aea43ba897ccf6a9bbe9a5acac7d69b683cdf013457ec0a51eceee193c45 (AV positives: 16/61 scanned on 02/28/2019 05:41:54)
File SHA256: 35e15ef3ac2bcea68a2e892e37c7a7fa50d869a0c95091593164227c92ba3279 (AV positives: 1/71 scanned on 02/17/2019 13:16:14)
Found malicious artifacts related to "172.217.9.35": ...
File SHA256: 0a59956577236d3596ed375b48ca80b5aab938f6215da5d9e3f2c9f732b23828 (AV positives: 48/66 scanned on 03/09/2019 22:57:06)
File SHA256: b2e0cf6a6dfdf8dc8d08fe86d788ec8fbff5805e842f768d5dbc16b64241588f (AV positives: 56/71 scanned on 02/10/2019 23:44:12)
File SHA256: 746b57ba5e2f39ad5607cc648da4ec35d69b24bb9257d369a7bc8fe2ead33633 (AV positives: 54/71 scanned on 01/26/2019 23:15:26)
File SHA256: 735d83338a4559460398ed571ea18bfe1463af83944b5bc074c54a93dcf48b26 (Date: 12/14/2017 02:16:26)
File SHA256: f75f7cd6543dcd3161c2a98fabc9f358341d986c6d92b29bf16dabb22ec50b21 (Date: 11/26/2017 10:19:41)
File SHA256: 1081b2706f6be81ff301339868956b5862d6109884f66f899a3e5791e1ec324e (Date: 11/26/2017 10:08:18)
File SHA256: 9f34186a32765460e56c32a5fb11d7968ddf194f634b84871544f4dad0edaf2f (Date: 11/08/2017 07:01:57)
File SHA256: 239ea1d6aec172fed5f6bc6179dd79a452f7769027624ed56fc23110179bbb6d (Date: 11/06/2017 19:00:13)
Found malicious artifacts related to "54.187.176.55": ...
URL: http://dfh.nexttagupdate.com/handle?fl=http://www.datafilehost.com/get.php?file=f516d232&m3&fs=11.04MB&d=game-pc-mustapha(allfreepcgamesandsoftwares.blogspot.com).rar (AV positives: 5/68 scanned on 10/07/2018 17:21:55)
URL: http://dfh.nexttagupdate.com/handle?fl=http%3A%2F%2Fwww.datafilehost.com%2Fget.php%3Ffile%3Df11baea8%26m3&fs=36.29+MB&d=north20.rar (AV positives: 5/68 scanned on 10/07/2018 17:05:11)
URL: http://dfh.nexttagupdate.com/handle?fl=www.datafilehost.com/get.php?file=5404fb37&m3&fs=1.51mb&d=facebookhackerprobytekgyd.com.apk (AV positives: 5/68 scanned on 10/07/2018 16:28:40)
URL: http://dfh.nexttagupdate.com/handle?fl=http%3A%2F%2Fwww.datafilehost.com%2Fget.php%3Ffile%3Dee34f157%26m3&fs=2.29+MB&d=FreeStore.ver.1.3.build.4[1].apk (AV positives: 5/68 scanned on 10/07/2018 16:26:13)
URL: http://dfh.nexttagupdate.com/handle?fl=http://www.datafilehost.com/get.php?file=5404fb37&m3&fs=1.51%20MB&d=FacebookHackerPro%20By%20Tekgyd.com.apk (AV positives: 5/68 scanned on 10/06/2018 04:34:51)
File SHA256: e748e865ad88a768d5cd928f03186cc3db95cbf7f0eaf577008a2927d05287a8 (AV positives: 34/71 scanned on 02/16/2019 04:39:12)
File SHA256: fa9db92d0a0920ca81cd72deb2d23bf5f68796c053119163d217af2430530ee1 (AV positives: 21/72 scanned on 02/15/2019 05:32:13)
File SHA256: dd6f94a9002bcfa2c3dba1159c9a746291ae21d165df08175fe7bd9a04b37b0c (AV positives: 21/71 scanned on 02/15/2019 04:36:19)
File SHA256: e7e36bb18453b48fcafb050627b3ae66ca75818d3bf4c46567cc0c1e05e7ff03 (AV positives: 21/71 scanned on 02/15/2019 04:29:07)
File SHA256: a132f638e31c48510f9f6a45f7fc9c4df3be1e3c3cc66d92e60e548df63f4d3e (AV positives: 22/70 scanned on 02/15/2019 02:55:58) - source
- Network Traffic
- relevance
- 10/10
-
Detected a large number of ARP broadcast requests (network device lookup)
-
Suspicious Indicators 24
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- UPX1 with unusual entropies 7.88150023611
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"orporation
00-1E-21 Qisda Corporation
00-17-CA Qisda Corporation
00-14-D1 TRENDnet, Inc.
00-1C-7E Toshiba
00-1C-14 VMware, Inc.
90-A2-10 United Telecoms Ltd
E0-2A-82 Universal Global Scientific Industrial Co., Ltd.
00-16-41 Universal Global Scientific Industrial Co., Ltd.
4C-33-4E HIGHTECH
00-13-15 Sony Interactive Entertainment Inc.
00-1F-A7 Sony Interactive Entertainment Inc.
A8-E3-EE Sony Interactive Entertainment Inc.
70-9E-29 Sony Interactive Entertainment Inc.
FC-0F-E6 Sony Interactive Entertainment Inc.
00-50-C2 IEEE Registration Authority
CC-79-CF SHENZHEN RF-LINK TECHNOLOGY CO.,LTD.
14-1F-BA IEEE Registration Authority
80-0A-80 IEEE Registration Authority
A4-4F-29 IEEE Registration Authority
5C-F2-86 IEEE Registration Authority
64-FB-81 IEEE Registration Authority
E4-95-6E IEEE Registration Authority
C8-8E-D1 IEEE Registration Authority
78-C2-C0 IEEE Registration Authority
88-5D-90 IEEE Registration Authority
3C-39-E7 IEEE Registration Authority
A0-BB-3E IEEE Registration Authority
6C-B9-C5 Delta Ne" (Indicator: "vmware")
"Ltd
EC-26-FB TECC CO.,LTD.
00-90-CC PLANEX COMMUNICATIONS INC.
E0-9D-B8 PLANEX COMMUNICATIONS INC.
90-3A-E6 PARROT SA
00-E0-0F Shanghai Baud Data Communication Co.,Ltd.
3C-40-4F GUANGDONG PISEN ELECTRONICS CO.,LTD
F0-AC-D7 IEEE Registration Authority
00-23-3E Alcatel-Lucent IPD
6C-BE-E9 Alcatel-Lucent IPD
00-80-F7 Zenith Electronics Corporation
00-C0-95 ZNYX Networks, Inc.
60-EB-69 QUANTA COMPUTER INC.
C8-0A-A9 QUANTA COMPUTER INC.
00-23-8B QUANTA COMPUTER INC.
00-07-BA UTStarcom Inc
44-39-C4 Universal Global Scientific Industrial Co., Ltd.
70-F3-95 Universal Global Scientific Industrial Co., Ltd.
00-1E-37 Universal Global Scientific Industrial Co., Ltd.
00-27-13 Universal Global Scientific Industrial Co., Ltd.
00-21-86 Universal Global Scientific Industrial Co., Ltd.
8C-FD-F0 Qualcomm Inc.
00-00-31 QPSX COMMUNICATIONS, LTD.
00-0E-7B Toshiba
B8-6B-23 Toshiba
00-0C-29 VMware, Inc.
00-50-56 VMware, Inc.
00-1C-4D Aplix IP Holdings Corporation
D0-05-2A Arcadyan Corporation
F4-85-C6 FDT Technologies
BC-60-A7 Son" (Indicator: "vmware")
"-44 QUANTA COMPUTER INC.
00-26-9E QUANTA COMPUTER INC.
68-35-63 SHENZHEN LIOWN ELECTRONICS CO.,LTD.
00-03-B2 Radware
2C-60-0C QUANTA COMPUTER INC.
00-1E-68 QUANTA COMPUTER INC.
00-A0-9B QPSX COMMUNICATIONS, LTD.
00-E0-8B QLogic Corporation
00-08-0D Toshiba
00-15-B7 Toshiba
00-05-69 VMware, Inc.
00-08-F1 Voltaire
00-1B-DA UTStarcom Inc
FC-4D-D4 Universal Global Scientific Industrial Co., Ltd.
40-2C-F4 Universal Global Scientific Industrial Co., Ltd.
00-10-C6 Universal Global Scientific Industrial Co., Ltd.
00-24-7E Universal Global Scientific Industrial Co., Ltd.
00-16-39 Ubiquam Co., Ltd.
18-39-19 Unicoi Systems
90-A4-6A SISNET CO., LTD
14-E7-C8 Integrated Device Technology (Malaysia) Sdn. Bhd.
28-0D-FC Sony Interactive Entertainment Inc.
00-15-C1 Sony Interactive Entertainment Inc.
00-19-C5 Sony Interactive Entertainment Inc.
AC-A2-13 Shenzhen Bilian electronic CO.,LTD
38-F8-CA OWIN Inc.
54-D2-72 Nuki Home Solutions GmbH
9C-A3-A9 Guangzhou Juan Optical and Electronical Tech Joint Stock Co., Ltd
D0-22-12 IEE" (Indicator: "vmware") - source
- File/Memory
- relevance
- 4/10
-
Reads the active computer name
- details
- "wnetwatcher.zip.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL from wnetwatcher.zip.exe (PID: 2244) (Show Stream)
LoadResource@KERNEL32.DLL from wnetwatcher.zip.exe (PID: 2244) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
POSTs files to a webserver
- details
-
"POST /GTSGIAG3 HTTP/1.1
Host: ocsp.pki.goog
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 83
Content-Type: application/ocsp-request
Connection: keep-alive" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Monitors specific registry key for changes
- details
-
"wnetwatcher.zip.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 0)
"wnetwatcher.zip.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 0) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Monitors specific registry key for changes
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"192.168.0.1"
"192.168.0.255"
Heuristic match: "1.240.168.192.in-addr.arpa"
Heuristic match: "10.240.168.192.in-addr.arpa"
Heuristic match: "11.240.168.192.in-addr.arpa"
Heuristic match: "12.240.168.192.in-addr.arpa"
Heuristic match: "13.240.168.192.in-addr.arpa"
Heuristic match: "14.240.168.192.in-addr.arpa"
Heuristic match: "18.240.168.192.in-addr.arpa"
Heuristic match: "2.240.168.192.in-addr.arpa"
Heuristic match: "246.240.168.192.in-addr.arpa"
Heuristic match: "25.240.168.192.in-addr.arpa"
Heuristic match: "26.240.168.192.in-addr.arpa"
Heuristic match: "3.240.168.192.in-addr.arpa"
Heuristic match: "31.240.168.192.in-addr.arpa"
Heuristic match: "33.240.168.192.in-addr.arpa"
Heuristic match: "34.240.168.192.in-addr.arpa"
Heuristic match: "4.240.168.192.in-addr.arpa"
Heuristic match: "5.240.168.192.in-addr.arpa"
Heuristic match: "6.240.168.192.in-addr.arpa"
Heuristic match: "64.240.168.192.in-addr.arpa"
Heuristic match: "82.240.168.192.in-addr.arpa"
Heuristic match: "89.240.168.192.in-addr.arpa"
Heuristic match: "9.240.168.192.in-addr.arpa" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 52.26.103.165 on port 443 is sent without HTTP header
TCP traffic to 99.84.254.97 on port 443 is sent without HTTP header
TCP traffic to 172.217.9.42 on port 443 is sent without HTTP header
TCP traffic to 172.217.9.35 on port 80 is sent without HTTP header
TCP traffic to 54.187.176.55 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "wnetwatcher.zip.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
-
OpenClipboard@USER32.DLL from wnetwatcher.zip.exe (PID: 2244) (Show Stream)
OpenClipboard@USER32.DLL from wnetwatcher.zip.exe (PID: 2244) (Show Stream)
OpenClipboard@USER32.DLL from wnetwatcher.zip.exe (PID: 2244) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1115 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open the clipboard
-
System Destruction
-
Opens file with deletion access rights
- details
- "wnetwatcher.zip.exe" opened "C:\report.html" with delete access
- source
- API Call
- relevance
- 7/10
-
Opens file with deletion access rights
-
Unusual Characteristics
-
Entrypoint in PE header is within an uncommon section
- details
- "WNetWatcher.exe.bin" has an entrypoint in section "UPX1"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCloseKey
VirtualProtect
GetProcAddress
VirtualAlloc
LoadLibraryA
ShellExecuteW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "wnetwatcher.zip.exe" wrote bytes "c04e927720549377e0659377b53894770000000000d0e97600000000c5eae9760000000088eae97600000000e968987582289477ee29947700000000d2699875000000007dbbe9760000000009be987500000000ba18e97600000000" to virtual address "0x77AE1000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "wnetwatcher.zip.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Entrypoint in PE header is within an uncommon section
-
Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 17
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
- Raw size of "UPX0" is zero
- source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from wnetwatcher.zip.exe (PID: 2244) (Show Stream)
GetLocalTime@KERNEL32.DLL from wnetwatcher.zip.exe (PID: 2244) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
- GetVersionExW@KERNEL32.DLL from wnetwatcher.zip.exe (PID: 2244) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/37 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contacts domains
- details
-
"ocsp.pki.goog"
"1.240.168.192.in-addr.arpa"
"10.240.168.192.in-addr.arpa"
"11.240.168.192.in-addr.arpa"
"12.240.168.192.in-addr.arpa"
"13.240.168.192.in-addr.arpa"
"14.240.168.192.in-addr.arpa"
"18.240.168.192.in-addr.arpa"
"2.240.168.192.in-addr.arpa"
"246.240.168.192.in-addr.arpa"
"25.240.168.192.in-addr.arpa"
"26.240.168.192.in-addr.arpa"
"3.240.168.192.in-addr.arpa"
"31.240.168.192.in-addr.arpa"
"33.240.168.192.in-addr.arpa"
"34.240.168.192.in-addr.arpa"
"4.240.168.192.in-addr.arpa"
"5.240.168.192.in-addr.arpa"
"6.240.168.192.in-addr.arpa"
"64.240.168.192.in-addr.arpa" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"52.26.103.165:443"
"99.84.254.97:443"
"172.217.9.42:443"
"172.217.9.35:80"
"54.187.176.55:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "c:\Projects\VS2005\WNetWatcher\Release\WNetWatcher.pdb"
- source
- File/Memory
- relevance
- 1/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE" (SHA1: 8A:D5:C9:98:7E:6F:19:0B:D6:F5:41:6E:2D:E4:4C:CD:64:1D:8C:DA; see report for more information)
The input sample is signed with a certificate issued by "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US" (SHA1: 03:A5:B1:46:63:EB:12:02:30:91:B8:4A:6D:6A:68:BC:87:1D:E6:6B; see report for more information)
The input sample is signed with a certificate issued by "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US" (SHA1: B6:47:71:39:25:38:D1:EB:7A:92:81:99:87:91:C1:4A:FD:0C:50:35; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: A8:0B:AE:DA:57:3D:F2:71:2F:23:A4:18:57:E6:48:47:5E:AC:9B:A5; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
- "wnetwatcher.zip.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
- "wnetwatcher.zip.cfg" has type "data"
- source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"wnetwatcher.zip.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"wnetwatcher.zip.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"wnetwatcher.zip.exe" touched file "%WINDIR%\System32\en-US\msctf.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: ",+DcYX .Ma"
Pattern match: "http://www.usertrust.com1"
Pattern match: "crl.usertrust.com/AddTrustExternalCARoot.crl05"
Pattern match: "http://ocsp.usertrust.com0"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl0t"
Pattern match: "crt.usertrust.com/UTNAddTrustObject_CA.crt0%"
Pattern match: "https://secure.comodo.net/CPS0A"
Pattern match: "crl.comodoca.com/COMODOCodeSigningCA2.crl0r"
Pattern match: "crt.comodoca.com/COMODOCodeSigningCA2.crt0$"
Pattern match: "http://ocsp.comodoca.com0"
Pattern match: "https://secure.comodo.net/CPS0C"
Pattern match: "crl.comodoca.com/COMODORSACodeSigningCA.crl0t"
Pattern match: "crt.comodoca.com/COMODORSACodeSigningCA.crt0$"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q"
Pattern match: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$"
Heuristic match: "p@.Bi"
Pattern match: "http://www.nirsoft.net/"
Heuristic match: "2 CentraLite Systems, Inc.
00-16-96 QDI Technology (H.K.) Limited
00-16-88 ServerEngines LLC
00-16-8A id-Confirm Inc
00-16-83 WEBIO International Co.,.Ltd.
00-16-7C iRex Technologies BV
00-16-10 Carina Technology
00-16-0B TVWorks LLC
00-16-04 Sigpro
00-15-"
Heuristic match: "1.240.168.192.in-addr.arpa"
Heuristic match: "10.240.168.192.in-addr.arpa"
Heuristic match: "11.240.168.192.in-addr.arpa"
Heuristic match: "12.240.168.192.in-addr.arpa"
Heuristic match: "13.240.168.192.in-addr.arpa"
Heuristic match: "14.240.168.192.in-addr.arpa"
Heuristic match: "18.240.168.192.in-addr.arpa"
Heuristic match: "2.240.168.192.in-addr.arpa"
Heuristic match: "246.240.168.192.in-addr.arpa"
Heuristic match: "25.240.168.192.in-addr.arpa"
Heuristic match: "26.240.168.192.in-addr.arpa"
Heuristic match: "3.240.168.192.in-addr.arpa"
Heuristic match: "31.240.168.192.in-addr.arpa"
Heuristic match: "33.240.168.192.in-addr.arpa"
Heuristic match: "34.240.168.192.in-addr.arpa"
Heuristic match: "4.240.168.192.in-addr.arpa"
Heuristic match: "5.240.168.192.in-addr.arpa"
Heuristic match: "6.240.168.192.in-addr.arpa"
Heuristic match: "64.240.168.192.in-addr.arpa"
Heuristic match: "82.240.168.192.in-addr.arpa"
Heuristic match: "89.240.168.192.in-addr.arpa"
Heuristic match: "9.240.168.192.in-addr.arpa"
Heuristic match: "a1089.dscd.akamai.net"
Heuristic match: "cs9.wac.phicdn.net"
Heuristic match: "dcky6u1m8u6el.cloudfront.net"
Heuristic match: "detectportal.firefox.com"
Heuristic match: "safebrowsing.googleapis.com"
Heuristic match: "shavar.prod.mozaws.net" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"y
4C-83-DE Cisco SPVTG
5C-B6-CC NovaComm Technologies Inc.
B4-AE-6F Circle Reliance, Inc DBA Cranberry Networks
B8-99-19 7signal Solutions, Inc
90-DA-6A FOCUS H&S Co., Ltd.
A4-5D-A1 ADB Broadband Italia
E8-EF-89 OPMEX Tech.
F4-C4-47 Coagent International Enterprise Limited
08-DF-1F Bose Corporation
54-2A-A2 Alpha Networks Inc.
84-94-8C Hitron Technologies. Inc
CC-A0-E5 DZG Metering GmbH
30-59-B7 Microsoft
08-74-F6 Winterhalter Gastronom GmbH
FC-C2-DE Murata Manufacturing Co., Ltd.
1C-1C-FD Dalian Hi-Think Computer Technology, Corp
70-62-B8 D-Link International
B8-75-C0 PayPal, Inc.
E4-7F-B2 FUJITSU LIMITED
38-26-2B UTran Technology
20-ED-74 Ability enterprise co.,Ltd.
78-24-AF ASUSTek COMPUTER INC.
0C-AC-05 Unitend Technologies Inc.
B4-B8-59 Texa Spa
04-5C-8E gosund GROUP CO.,LTD
54-B7-53 Hunan Fenghui Yinjia Science And Technology Co.,Ltd
48-26-E8 Tek-Air Systems, Inc.
A0-12-DB TABUCHI ELECTRIC CO.,LTD
AC-B8-59 Uniband Electronic Corp,
10-0F-18 Fu Gang Electronic(KunShan)CO.,LTD
C8-D5-90 FLIGHT DATA SYSTEMS" (Indicator: "paypal")
"etards Ltd
00-06-A7 Primarion
00-06-57 Market Central, Inc.
00-06-97 R & D Center
00-06-91 PT Inovacao
00-05-C7 I/F-COM A/S
00-05-CE Prolink Microsystems Corporation
00-05-C1 A-Kyung Motion, Inc.
00-05-BB Myspace AB
00-05-9B Cisco Systems, Inc
00-05-B5 Broadcom Technologies
00-05-9A Cisco Systems, Inc
00-05-A1 Zenocom
00-05-AB Cyber Fone, Inc.
00-05-88 Sensoria Corp.
00-05-8E Flextronics International GmbH & Co. Nfg. KG
00-06-12 Accusys, Inc.
00-06-09 Crossport Systems
00-06-0F Narad Networks Inc
00-06-02 Cirkitech Electronics Co.
00-05-ED Technikum Joanneum GmbH
00-06-00 Toshiba Teli Corporation
00-05-E7 Netrake an AudioCodes Company
00-05-F3 Webyn
00-05-FA IPOptical, Inc.
00-05-DE Gi Fone Korea, Inc.
00-05-DA Apex Automationstechnik
00-05-C8 VERYTECH
00-05-D4 FutureSmart Networks, Inc.
00-06-DF AIDONIC Corporation
00-06-E0 MAT Co., Ltd.
00-06-E5 Fujian Newland Computer Ltd. Co.
00-06-DB ICHIPS Co., Ltd.
00-06-D0 Elgar Electronics Corp.
00-06-D7 Cisco Systems, Inc
00-06-CA American Computer & Digital Compon" (Indicator: "myspace") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Creates or modifies windows services
- details
- "wnetwatcher.zip.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "wnetwatcher.zip.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "WNetWatcher.exe.bin" was detected as "Netopsystems FEAD Optimizer 1"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
WNetWatcher.exe
- Filename
- WNetWatcher.exe
- Size
- 343KiB (350928 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- Architecture
- WINDOWS
- SHA256
- 91bdcf28f2ed05c8e3b54ca9cf81243eb90fc1f657525de4b40bb06d428db0eb
- MD5
- ffa98e2950de463b06041da89cced35a
- SHA1
- 98200541fa8d25e339c63223ac3780135f3fe59f
- ssdeep
- 6144:ZzOtynDa0XGJqbIk5BGpK6kVjgu/crQBTkaAVnBijhRFKSp2pM41:AADapJIPGpK6ki6crQBFAVBs/F5p2/
- imphash
- 8fe31596abc9666916f5862125d7da4b
- authentihash
- a80dea5df8609b936ec00ead04407b6a5f113a0d7e8491350c31dd2cd63fd2aa
- Compiler/Packer
- Netopsystems FEAD Optimizer 1
Version Info
- LegalCopyright
- Copyright 2011 - 2018 Nir Sofer
- InternalName
- Wireless Network Watcher
- FileVersion
- 2.18
- CompanyName
- NirSoft
- ProductName
- Wireless Network Watcher
- ProductVersion
- 2.18
- FileDescription
- Wireless Network Watcher
- OriginalFilename
- WNetWatcher.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 38.2% (.EXE) UPX compressed Win32 Executable
- 37.5% (.EXE) Win32 EXE Yoda's Crypter
- 9.2% (.DLL) Win32 Dynamic Link Library (generic)
- 6.3% (.EXE) Win32 Executable (generic)
- 2.8% (.EXE) OS/2 Executable (generic)
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 8.00 (Visual Studio 2005) (build: 50727)
- 1 .RES Files linked with CVTRES.EXE 8.00 (Visual Studio 2005) (build: 50727)
- 31 .CPP Files (with LTCG) compiled with CL.EXE 14.00 (Visual Studio 2005) (build: 50727)
- 3 .LIB Files generated with LIB.EXE 7.00 (Visual Studio .NET 2002) (build: 9210)
- 11 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 9178)
- 3 .ASM Files assembled with MASM 7.00 (Visual Studio .NET 2002) (build: 9210)
- 22 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 2 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 4035)
- File contains C++ code
- File appears to contain raw COFF/OMF content
- File was optimized using LTCG and/or POGO
- File is the product of a medium codebase (31 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (12KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Serial: 421af2940984191f520a4bc62426a74b |
06/07/2005 08:09:10 05/30/2020 10:48:38 |
FF:5F:BC:42:90:FA:38:9E:79:84:67:EB:D7:AE:94:0B 8A:D5:C9:98:7E:6F:19:0B:D6:F5:41:6E:2D:E4:4C:CD:64:1D:8C:DA |
CN=COMODO SHA-1 Time Stamping Signer, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Serial: 1688f039255e638e69143907e6330b |
12/31/2015 00:00:00 07/09/2019 18:40:36 |
8F:C6:01:B2:F5:01:26:30:60:AC:8D:52:9D:37:A2:94 03:A5:B1:46:63:EB:12:02:30:91:B8:4A:6D:6A:68:BC:87:1D:E6:6B |
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Serial: 10709d4ff55408d7306001d8ea9175bb |
08/24/2011 00:00:00 05/30/2020 10:48:38 |
DB:84:B1:A0:71:5C:FD:1E:33:D1:93:5D:DC:9B:EB:4E B6:47:71:39:25:38:D1:EB:7A:92:81:99:87:91:C1:4A:FD:0C:50:35 |
CN=Nir Sofer, O=Nir Sofer, STREET=5 Hashoshanim st., L=Ramat Gan, ST=Gush Dan, OID.2.5.4.17=52583, C=IL | CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 1af0660e837a35a2cd92ec613fc15db8 |
09/12/2014 00:00:00 09/12/2019 23:59:59 |
20:08:03:20:FB:D4:63:05:C5:57:81:75:AB:0A:9E:AA A8:0B:AE:DA:57:3D:F2:71:2F:23:A4:18:57:E6:48:47:5E:AC:9B:A5 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- wnetwatcher.zip.exe (PID: 2244)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
1.240.168.192.in-addr.arpa | - | - | - |
10.240.168.192.in-addr.arpa | - | - | - |
11.240.168.192.in-addr.arpa | - | - | - |
12.240.168.192.in-addr.arpa | - | - | - |
13.240.168.192.in-addr.arpa | - | - | - |
14.240.168.192.in-addr.arpa | - | - | - |
18.240.168.192.in-addr.arpa | - | - | - |
2.240.168.192.in-addr.arpa | - | - | - |
246.240.168.192.in-addr.arpa | - | - | - |
25.240.168.192.in-addr.arpa | - | - | - |
26.240.168.192.in-addr.arpa | - | - | - |
3.240.168.192.in-addr.arpa | - | - | - |
31.240.168.192.in-addr.arpa | - | - | - |
33.240.168.192.in-addr.arpa | - | - | - |
34.240.168.192.in-addr.arpa | - | - | - |
4.240.168.192.in-addr.arpa | - | - | - |
5.240.168.192.in-addr.arpa | - | - | - |
6.240.168.192.in-addr.arpa | - | - | - |
64.240.168.192.in-addr.arpa | - | - | - |
82.240.168.192.in-addr.arpa | - | - | - |
89.240.168.192.in-addr.arpa | - | - | - |
9.240.168.192.in-addr.arpa | - | - | - |
a1089.dscd.akamai.net |
204.237.142.178
TTL: 19 |
- | United States |
cs9.wac.phicdn.net |
72.21.91.29
TTL: 599 |
- | United States |
dcky6u1m8u6el.cloudfront.net |
54.192.23.177
TTL: 59 |
- | United States |
detectportal.firefox.com |
204.237.142.178
TTL: 37 |
- | United States |
ocsp.pki.goog |
172.217.9.35
TTL: 191 |
- | United States |
safebrowsing.googleapis.com |
172.217.1.138
TTL: 299 |
- | United States |
shavar.prod.mozaws.net |
52.88.72.192
TTL: 42 |
- | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
52.26.103.165 |
443
TCP |
firefox.exe PID: 4136 |
United States |
99.84.254.97 |
443
TCP |
firefox.exe PID: 4136 |
United States |
172.217.9.42 |
443
TCP |
firefox.exe PID: 4136 |
United States |
172.217.9.35 |
80
TCP |
firefox.exe PID: 4136 |
United States |
54.187.176.55 |
443
TCP |
firefox.exe PID: 4136 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
172.217.9.35:80 (ocsp.pki.goog) | POST | ocsp.pki.goog/GTSGIAG3 | POST /GTSGIAG3 HTTP/1.1
Host: ocsp.pki.goog
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 83
Content-Type: application/ocsp-request
Connection: keep-alive More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
192.168.0.1 | Domain/IP reference | 00036357-00002244-61318-490-00401F4A |
http://www.nirsoft.net | Domain/IP reference | 00036357-00002244-61318-268-00402C39 |
192.168.0.255 | Domain/IP reference | 00036357-00002244-61318-490-00401F4A |
Extracted Strings
Extracted Files
-
Informative 1
-
-
wnetwatcher.zip.cfg
- Size
- 8.3KiB (8466 bytes)
- Type
- data
- Runtime Process
- wnetwatcher.zip.exe (PID: 2244)
- MD5
- 369e703e53737292698995d35a414c27
- SHA1
- ded0689e8f866ad6fa8822515b28512304f1f3f7
- SHA256
- 4055b5e709dfc9c6161c922198872b11d52166e627b0f765180b3c53825b60b3
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "network-0" are available in the report
- Not all sources for indicator ID "network-32" are available in the report
- Some low-level data is hidden, as this is only a slim report