HTTP traffic detected: POST /wgc/ installer_ started HT TP/1.1Host : wgusst-w gcna.warga Us er-Agent: wg::http:: curl_http_ request 1. Source: C:\Users\u ser\AppDat a\Local\Te mp\is-JDCB 6.tmp\worl d_of_tanks _install_n a_c2vlama3 88ae.tmpĬode function: 2_2_0040AE D0 FindFir stFileW,Fi ndClose,Ĭode function: 2_2_005786 84 FindFir stFileW,Ge tLastError ,Ĭode function: 2_2_0040A9 0C GetModu leHandleW, GetProcAdd ress,lstrc pynW,lstrc pynW,lstrc pynW,FindF irstFileW, FindClose, lstrlenW,l strcpynW,l strlenW,ls trcpynW,Ĭode function: 2_2_005D1A 30 FindFir stFileW,Se tFileAttri butesW,Fin dNextFileW ,FindClose ,Ĭode function: 2_2_057F42 F0 GetModu leHandleA, GetProcAdd ress,lstrc py,lstrcpy n,lstrcpyn ,FindFirst FileA,Find Close,lstr len,lstrcp y,lstrlen, lstrcpy,ĭNS traffic detected: queries fo r: wgusst- wgcna.warg exeĬode function: 0_2_004078 C8 FindFir stFileW,Fi ndClose,Ĭode function: 0_2_004073 04 GetModu leHandleW, GetProcAdd ress,lstrc pynW,lstrc pynW,lstrc pynW,FindF irstFileW, FindClose, lstrlenW,l strcpynW,l strlenW,ls trcpynW,
Source: C:\Users\u ser\Deskto p\world_of _tanks_ins tall_na_c2 vlama388ae.
Vclstylesinno.dll wargaming game center code#
Uses code obfuscation techniques (call, push, ret)Ĭontains functionality to enumerate / list files inside a directory Sample file is different than original file name gathered from version info PE file contains sections with non-standard names PE file contains executable resources (Code or Archives) system language)Ĭontains functionality to check if a debugger is running (IsDebuggerPresent)Ĭontains functionality to check if a window is minimized (may be used to check if an application is visible)Ĭontains functionality to communicate with device driversĬontains functionality to dynamically determine API callsĬontains functionality to launch a program with higher privilegesĬontains functionality to query CPU information (cpuid)Ĭontains functionality to shutdown / reboot the systemĬreates a DirectInput object (often for capturing keystrokes)Įxtensive use of GetProcAddress (often used to hide API calls)įound dropped PE file which has not been started or loadedįound evasive API chain checking for process token informationįound potential string decryption / allocating functions Contains functionality locales information (e.g.
0 kommentar(er)
