Edit tour
Windows
Analysis Report
LisectAVT_2403002C_101.dll
Overview
General Information
| Sample name: | LisectAVT_2403002C_101.dll |
| Analysis ID: | 1481559 |
| MD5: | e297538fd11e88f35c51d59361579625 |
| SHA1: | f083c244220424b40d90046003e02f4281d5a5ce |
| SHA256: | 51c5b0c6008197cd7c9a9fcd7e0be8534578f2e5ec4f0b48501b09e427825fd7 |
| Tags: | dllexe |
| Infos: |  |
 | |
Detection
| Score: | 56 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to get notified if a device is plugged in / out
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Classification
- System is w10x64
loaddll32.exe (PID: 2460 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\Lis ectAVT_240 3002C_101. dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) 
conhost.exe (PID: 7100 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 1396 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Lis ectAVT_240 3002C_101. dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
rundll32.exe (PID: 6540 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",#1 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3128 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Lisec tAVT_24030 02C_101.dl l,GnrkBltv kx MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 5596 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Lisec tAVT_24030 02C_101.dl l,GnrkBmoa ar MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6152 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Lisec tAVT_24030 02C_101.dl l,GnrkCyrp w MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4368 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkBl tvkx MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4448 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkBm oaar MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 360 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkCy rpw MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 5060 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkZt dij MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4524 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkZe wk MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6052 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkXz wnp MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1352 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkXa lbb MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 348 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkWy ey MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3668 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkWt lrh MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2616 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkWs nq MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6504 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkWa pq MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3568 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkVn ndq MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1968 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkUs mc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6404 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkTr g MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7056 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkTj xdo MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1292 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkTc h MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1784 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkTc fv MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2300 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkSt so MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3652 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkSf MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6056 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkSb q MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4676 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkRr dcfn MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7172 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkQu lon MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7180 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkQr MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7188 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkQm MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7200 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkPp MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7208 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkOx ft MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7216 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkOk sgc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7244 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkOi MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7268 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkOh qbhe MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7276 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkOd a MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7288 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkNs dwzc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7328 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkNr MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7344 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkNo fovl MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7364 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Lise ctAVT_2403 002C_101.d ll",GnrkNl qh MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Florian Roth (Nextron Systems): | ||
⊘No Snort rule has matched
| Timestamp: | 2024-07-25T11:03:50.937557+0200 |
| SID: | 2036858 |
| Source Port: | 49717 |
| Destination Port: | 8080 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T11:05:13.891219+0200 |
| SID: | 2036858 |
| Source Port: | 49714 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T11:04:51.489726+0200 |
| SID: | 2036858 |
| Source Port: | 49712 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-25T11:04:12.566298+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49705 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T11:04:50.190026+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49713 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-25T11:05:30.970079+0200 |
| SID: | 2036858 |
| Source Port: | 49715 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 0_2_6CE891E0 | |
| Source: | Code function: | 30_2_6CE891E0 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_6CE82C90 | |
Networking | |
|---|
| Source: | Network Connect: | ||
| Source: | Domain query: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 30_2_6CEA2DE0 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_6CE81880 | |
| Source: | Code function: | 30_2_6CE81880 | |
| Source: | Code function: | 0_2_6CE8E040 | |
| Source: | Code function: | 0_2_6CE8E2F0 | |
| Source: | Code function: | 0_2_6CE8E32D | |
| Source: | Code function: | 0_2_6CE8E308 | |
| Source: | Code function: | 30_2_6CE8E040 | |
| Source: | Code function: | 30_2_6CE8E2F0 | |
| Source: | Code function: | 30_2_6CE8E32D | |
| Source: | Code function: | 30_2_6CE8E308 | |
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 30_2_6CE96580 | |
| Source: | Code function: | 0_2_6CE86690 | |
| Source: | Code function: | 0_2_6CE86690 | |
| Source: | Code function: | 30_2_6CE86690 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | ||
| Source: | File read: | ||
| Source: | Process created: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_6CE828E0 | |
| Source: | Code function: | 0_2_6CE86690 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
Malware Analysis System Evasion | |
|---|
| Source: | Code function: | 0_2_6CE81000 | |
| Source: | Code function: | 30_2_6CE81000 | |
| Source: | Window / User API: | ||
| Source: | Check user administrative privileges: | graph_30-20969 | ||
| Source: | Code function: | 0_2_6CE81000 | |
| Source: | Code function: | 30_2_6CE81000 | |
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep time: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Thread sleep count: | |||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_6CE828E0 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Network Connect: | ||
| Source: | Domain query: | ||
| Source: | Code function: | 0_2_6CE86B50 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 30_2_6CEA2B70 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 1 Valid Accounts | 2 Service Execution | 1 Valid Accounts | 1 Valid Accounts | 1 Valid Accounts | OS Credential Dumping | 111 Security Software Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 2 Native API | 3 Windows Service | 11 Access Token Manipulation | 11 Virtualization/Sandbox Evasion | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 3 Windows Service | 11 Access Token Manipulation | Security Account Manager | 1 Peripheral Device Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 111 Process Injection | 111 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 3 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 1 DLL Side-Loading | 1 Rundll32 | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | 14 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 1 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| ec2-52-90-110-169.compute-1.amazonaws.com | 52.90.110.169 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 13.85.23.86 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false | |
| 1.1.1.1 | unknown | Australia | 13335 | CLOUDFLARENETUS | false | |
| 52.90.110.169 | ec2-52-90-110-169.compute-1.amazonaws.com | United States | 14618 | AMAZON-AESUS | true | |
| 162.159.36.2 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
| 20.12.23.50 | unknown | United States | 8075 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
| IP |
|---|
| 192.168.2.1 |
| 192.168.2.5 |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1481559 |
| Start date and time: | 2024-07-25 11:03:04 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 9s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 42 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | LisectAVT_2403002C_101.dll |
| Detection: | MAL |
| Classification: | mal56.evad.winDLL@95/0@1/7 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded IPs from analysis (whitelisted): 199.232.210.172, 192.229.221.95
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: LisectAVT_2403002C_101.dll
| Time | Type | Description |
|---|---|---|
| 05:04:05 | API Interceptor | |
| 05:05:58 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 1.1.1.1 | Get hash | malicious | FormBook, NSISDropper | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| 162.159.36.2 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5Systemz | Browse | |||
| Get hash | malicious | Amadey, RisePro Stealer | Browse | |||
| Get hash | malicious | Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT | Browse | |||
| Get hash | malicious | Wannacry | Browse | |||
| Get hash | malicious | Amadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT | Browse | |||
| Get hash | malicious | Amadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT | Browse | |||
| 20.12.23.50 | Get hash | malicious | LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5Systemz | Browse | ||
| Get hash | malicious | Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT | Browse |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | Ramnit | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Bdaejec, Darkbot | Browse |
| ||
| Get hash | malicious | Bdaejec, Sodinokibi | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Bdaejec, Ramnit | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Darkbot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Bdaejec, Darkbot | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | DBatLoader | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | DBatLoader | Browse |
| ||
| AMAZON-AESUS | Get hash | malicious | Bdaejec, Gandcrab | Browse |
| |
| Get hash | malicious | Bdaejec, Gandcrab | Browse |
| ||
| Get hash | malicious | Bdaejec, Gandcrab | Browse |
| ||
| Get hash | malicious | Gamarue | Browse |
| ||
| Get hash | malicious | Bdaejec, Gandcrab | Browse |
| ||
| Get hash | malicious | Bdaejec, Darkbot | Browse |
| ||
| Get hash | malicious | Bdaejec, Sodinokibi | Browse |
| ||
| Get hash | malicious | Bdaejec, Sodinokibi | Browse |
| ||
| Get hash | malicious | Bdaejec, Ramnit | Browse |
| ||
| Get hash | malicious | Upatre | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | FormBook | Browse |
| |
| Get hash | malicious | Ramnit | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Bdaejec, Darkbot | Browse |
| ||
| Get hash | malicious | Bdaejec, Sodinokibi | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Bdaejec, Ramnit | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 28a2c9bd18a11de089ef85a160da29e4 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Coinhive, Xmrig | Browse |
| ||
| Get hash | malicious | Xmrig | Browse |
| ||
| Get hash | malicious | Revenge | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.529157171131098 |
| TrID: |
|
| File name: | LisectAVT_2403002C_101.dll |
| File size: | 192'512 bytes |
| MD5: | e297538fd11e88f35c51d59361579625 |
| SHA1: | f083c244220424b40d90046003e02f4281d5a5ce |
| SHA256: | 51c5b0c6008197cd7c9a9fcd7e0be8534578f2e5ec4f0b48501b09e427825fd7 |
| SHA512: | bdf488b91477e118d126d774137715f4db744738148fb13e26e54cb827ce483044d75bf7fee377c23f1e507f318cf33615f596fc8813a681917ba6a2b9455f9a |
| SSDEEP: | 3072:HqPO7C6IiSX2hI/rmE8PjguXRY7ArrCEmguU1DNlFJa34kg:HSOu6i2hI/rXGg4RLmED5B |
| TLSH: | 04143915F501873DE8BF00FAC7F9266CA52C9A32935820C3ABC85CA71555AEBBF35193 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............A...............y.......I.......H.......O.....Rich............PE..L......N...........!.....d...6............. |
 | |
| Icon Hash: | 7ae282899bbab082 |
| Entrypoint: | 0x10001880 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x10000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x4EE21DCE [Fri Dec 9 14:40:14 2011 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | a87240b873c1a5b2b17c559a4ce533e7 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| push ecx |
| mov eax, dword ptr [10030628h] |
| and eax, 01h |
| jne 00007FB5FCB67B3Dh |
| mov ecx, dword ptr [10030628h] |
| or ecx, 01h |
| mov dword ptr [10030628h], ecx |
| mov edx, dword ptr [10028194h] |
| mov dword ptr [10030624h], edx |
| mov eax, dword ptr [ebp+0Ch] |
| mov dword ptr [ebp-04h], eax |
| cmp dword ptr [ebp-04h], 00000000h |
| je 00007FB5FCB67B31h |
| cmp dword ptr [ebp-04h], 01h |
| je 00007FB5FCB67B24h |
| jmp 00007FB5FCB67B2Eh |
| call 00007FB5FCB672F3h |
| jmp 00007FB5FCB67B27h |
| call 00007FB5FCB6731Ch |
| mov eax, 00000001h |
| mov esp, ebp |
| pop ebp |
| retn 000Ch |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| sub esp, 08h |
| mov eax, dword ptr [10028120h] |
| mov dword ptr [ebp-04h], eax |
| mov dword ptr [ebp-08h], 00000000h |
| call 00007FB5FCB672BBh |
| call 00007FB5FCB7D8F6h |
| mov dword ptr [ebp-08h], eax |
| mov ecx, dword ptr [ebp-08h] |
| push ecx |
| call 00007FB5FCB683CAh |
| push eax |
| call 00007FB5FCB68484h |
| test eax, eax |
| jne 00007FB5FCB67B2Bh |
| mov edx, dword ptr [ebp-08h] |
| push edx |
| call 00007FB5FCB68597h |
| call 00007FB5FCB672C2h |
| mov eax, dword ptr [ebp-08h] |
| mov esp, ebp |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| mov ebp, esp |
| pop ebp |
| ret |
| int3 |
| int3 |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x2bfc0 | 0x3d4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2b590 | 0x64 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x9a000 | 0x3e0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x9b000 | 0x2188 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x28000 | 0x1b4 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x262de | 0x26400 | fb8bd1b81ccfb4f534f3daef7cbb4cca | False | 0.47029462826797386 | data | 6.33246806574087 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x28000 | 0x4394 | 0x4400 | 82b918d77a044f40686ae5809c89ddbd | False | 0.759765625 | data | 7.055205472510572 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2d000 | 0x6c551 | 0xa00 | c81870d3c545b9989522cccbbdbde726 | False | 0.913671875 | data | 7.449705734565964 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x9a000 | 0x3e0 | 0x400 | 6117fb448b882a3030c2aff8efcd289b | False | 0.4248046875 | data | 3.0643979755835313 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x9b000 | 0x26fc | 0x2800 | 745f439c351f3878b92a5df493588d95 | False | 0.62431640625 | data | 6.137144019251764 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_DIALOG | 0x9a340 | 0x9c | data | Chinese | China | 0.6794871794871795 |
| RT_VERSION | 0x9a0a0 | 0x29c | data | Chinese | China | 0.4550898203592814 |
| DLL | Import |
|---|---|
| KERNEL32.dll | EnumTimeFormatsW, GlobalAddAtomW, TryEnterCriticalSection, HeapAlloc, EnumResourceNamesW, GlobalFix, HeapCompact, TlsSetValue, FindResourceExA, MoveFileA, CompareFileTime, WriteProfileSectionW, InitializeSListHead, UpdateResourceA, ClearCommBreak, GetDevicePowerState, Sleep, EnumResourceTypesW, SetConsoleTitleA, IsSystemResumeAutomatic, GetShortPathNameA, GetPrivateProfileStringW, IsBadStringPtrA, CreateMailslotW, LoadLibraryA, GetProcAddress, PeekConsoleInputA, GetSystemWindowsDirectoryW, OpenWaitableTimerA, CreateFileW, GetLastError, SetFilePointer, WriteFile, CloseHandle, SetConsoleActiveScreenBuffer, SetCurrentDirectoryW, EnumSystemCodePagesA, GetCalendarInfoA, GetTickCount, FindResourceW |
| USER32.dll | DefDlgProcA, DrawAnimatedRects, ArrangeIconicWindows, SetWindowRgn, HideCaret, ScrollWindowEx, ShowWindowAsync, RegisterClipboardFormatA, AnimateWindow, FillRect, GetClassInfoExW, IsDialogMessageW, CharLowerBuffA, LoadStringW, GetKBCodePage, DlgDirSelectComboBoxExA, ClipCursor, IsWindowUnicode, SendMessageTimeoutA, PostMessageA, OemToCharA, GetClipboardFormatNameA, UnregisterDeviceNotification, ExitWindowsEx, SetPropA, SystemParametersInfoA, UnregisterClassA, GetDlgItemInt, IsWindowEnabled, LoadCursorFromFileA |
| GDI32.dll | CloseFigure, SetBitmapBits, GetPixel, PlayMetaFileRecord, GetMiterLimit, GetEnhMetaFileHeader, SetICMProfileA, SetColorSpace, SetICMMode, SetTextColor, SetDeviceGammaRamp, SelectPalette, GetWindowExtEx, CreateEnhMetaFileA, DeleteDC, LPtoDP, GetBitmapBits |
| ADVAPI32.dll | IsValidSid, SetSecurityDescriptorSacl, RegDisablePredefinedCache, FileEncryptionStatusW, LookupPrivilegeNameW, OpenBackupEventLogW, LogonUserW, RegEnumKeyW, StartServiceCtrlDispatcherW, InitiateSystemShutdownExW, SetKernelObjectSecurity, AreAllAccessesGranted, QueryServiceConfigA, LookupPrivilegeNameA, RegOpenUserClassesRoot, ImpersonateLoggedOnUser, ReadEventLogW, RegEnumKeyExA |
| Name | Ordinal | Address |
|---|---|---|
| GnrkBltvkx | 1 | 0x10001a90 |
| GnrkBmoaar | 2 | 0x10001aa0 |
| GnrkCyrpw | 3 | 0x10001a40 |
| GnrkEkp | 4 | 0x10001be0 |
| GnrkEnjzs | 5 | 0x10001d80 |
| GnrkFa | 6 | 0x10001d60 |
| GnrkFsx | 7 | 0x10001940 |
| GnrkGm | 8 | 0x10001c70 |
| GnrkGt | 9 | 0x10001b30 |
| GnrkHhcpo | 10 | 0x10001c20 |
| GnrkHjtl | 11 | 0x10001c10 |
| GnrkIiip | 12 | 0x10001d90 |
| GnrkJird | 13 | 0x10001d50 |
| GnrkJstv | 14 | 0x10001e20 |
| GnrkKhlhca | 15 | 0x10001e10 |
| GnrkKhqbbu | 16 | 0x10001f00 |
| GnrkLmkamk | 17 | 0x10001dc0 |
| GnrkLoc | 18 | 0x10001a10 |
| GnrkNlqh | 19 | 0x10001e00 |
| GnrkNofovl | 20 | 0x10001da0 |
| GnrkNr | 21 | 0x10001970 |
| GnrkNsdwzc | 22 | 0x10001a70 |
| GnrkOda | 23 | 0x10001ca0 |
| GnrkOhqbhe | 24 | 0x10001ee0 |
| GnrkOi | 25 | 0x10001db0 |
| GnrkOksgc | 26 | 0x10001cb0 |
| GnrkOxft | 27 | 0x10001960 |
| GnrkPp | 28 | 0x10001b00 |
| GnrkQm | 29 | 0x10001bf0 |
| GnrkQr | 30 | 0x10001770 |
| GnrkQulon | 31 | 0x10001c90 |
| GnrkRrdcfn | 32 | 0x10001c50 |
| GnrkSbq | 33 | 0x10001990 |
| GnrkSf | 34 | 0x10001ec0 |
| GnrkStso | 35 | 0x10001ae0 |
| GnrkTcfv | 36 | 0x10001eb0 |
| GnrkTch | 37 | 0x10001c30 |
| GnrkTjxdo | 38 | 0x10001ab0 |
| GnrkTrg | 39 | 0x10001e60 |
| GnrkUsmc | 40 | 0x10001930 |
| GnrkVnndq | 41 | 0x10001b10 |
| GnrkWapq | 42 | 0x10001de0 |
| GnrkWsnq | 43 | 0x10001ad0 |
| GnrkWtlrh | 44 | 0x10001c00 |
| GnrkWyey | 45 | 0x10001c40 |
| GnrkXalbb | 46 | 0x10001950 |
| GnrkXzwnp | 47 | 0x10001a50 |
| GnrkZewk | 48 | 0x10001d20 |
| GnrkZtdij | 49 | 0x10001b70 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | China |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Signature | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 2024-07-25T11:03:50.937557+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49717 | 8080 | 192.168.2.5 | 52.90.110.169 |
| 2024-07-25T11:05:13.891219+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49714 | 80 | 192.168.2.5 | 52.90.110.169 |
| 2024-07-25T11:04:51.489726+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49712 | 80 | 192.168.2.5 | 52.90.110.169 |
| 2024-07-25T11:04:12.566298+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| 2024-07-25T11:04:50.190026+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| 2024-07-25T11:05:30.970079+0200 | TCP | 2036858 | ET MALWARE PlugX CnC Beacon | 49715 | 80 | 192.168.2.5 | 52.90.110.169 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 25, 2024 11:03:50.937556982 CEST | 49674 | 443 | 192.168.2.5 | 23.1.237.91 |
| Jul 25, 2024 11:03:50.937566042 CEST | 49675 | 443 | 192.168.2.5 | 23.1.237.91 |
| Jul 25, 2024 11:03:51.046802044 CEST | 49673 | 443 | 192.168.2.5 | 23.1.237.91 |
| Jul 25, 2024 11:04:00.546756983 CEST | 49674 | 443 | 192.168.2.5 | 23.1.237.91 |
| Jul 25, 2024 11:04:00.546767950 CEST | 49675 | 443 | 192.168.2.5 | 23.1.237.91 |
| Jul 25, 2024 11:04:00.656141043 CEST | 49673 | 443 | 192.168.2.5 | 23.1.237.91 |
| Jul 25, 2024 11:04:02.321460962 CEST | 443 | 49703 | 23.1.237.91 | 192.168.2.5 |
| Jul 25, 2024 11:04:02.321722984 CEST | 49703 | 443 | 192.168.2.5 | 23.1.237.91 |
| Jul 25, 2024 11:04:06.532630920 CEST | 49704 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:06.538407087 CEST | 80 | 49704 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:04:06.538491964 CEST | 49704 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:06.538738012 CEST | 49704 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:06.544974089 CEST | 80 | 49704 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:04:11.028345108 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:11.028381109 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:11.028513908 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:11.029414892 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:11.029423952 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:11.790846109 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:11.790950060 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:11.793525934 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:11.793540001 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:11.793859005 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:11.843645096 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:12.316127062 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:12.356497049 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:12.565949917 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:12.565985918 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:12.565998077 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:12.566015005 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:12.566044092 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:12.566056013 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:12.566072941 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:12.566114902 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:12.566126108 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:12.566135883 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:12.566170931 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:12.566199064 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:12.566205978 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:12.566256046 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:13.155019999 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:13.155050993 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:13.155085087 CEST | 49705 | 443 | 192.168.2.5 | 13.85.23.86 |
| Jul 25, 2024 11:04:13.155092001 CEST | 443 | 49705 | 13.85.23.86 | 192.168.2.5 |
| Jul 25, 2024 11:04:27.943042994 CEST | 80 | 49704 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:04:27.943294048 CEST | 49704 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:27.943373919 CEST | 49704 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:27.949783087 CEST | 80 | 49704 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:04:30.118796110 CEST | 49712 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:30.124572992 CEST | 80 | 49712 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:04:30.124674082 CEST | 49712 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:30.128576994 CEST | 49712 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:30.133611917 CEST | 80 | 49712 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:04:49.390470982 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:49.390513897 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:49.390716076 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:49.391720057 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:49.391738892 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:49.984548092 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:49.984632969 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:49.989624023 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:49.989650011 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:49.990010977 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:49.993272066 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:50.040502071 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:50.187799931 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:50.187823057 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:50.187863111 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:50.188102961 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:50.188136101 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:50.188199997 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:50.189035892 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:50.189070940 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:50.189136028 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:50.189152002 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:50.189182997 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:50.189882994 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:50.189959049 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:50.212117910 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:50.212167978 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:50.212219000 CEST | 49713 | 443 | 192.168.2.5 | 20.12.23.50 |
| Jul 25, 2024 11:04:50.212228060 CEST | 443 | 49713 | 20.12.23.50 | 192.168.2.5 |
| Jul 25, 2024 11:04:51.489590883 CEST | 80 | 49712 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:04:51.489726067 CEST | 49712 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:51.489841938 CEST | 49712 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:51.494937897 CEST | 80 | 49712 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:04:52.500777006 CEST | 49714 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:52.506076097 CEST | 80 | 49714 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:04:52.506310940 CEST | 49714 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:52.506453991 CEST | 49714 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:04:52.511240959 CEST | 80 | 49714 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:05:13.891060114 CEST | 80 | 49714 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:05:13.891218901 CEST | 49714 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:13.891326904 CEST | 49714 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:13.896120071 CEST | 80 | 49714 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:05:14.907201052 CEST | 49715 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:14.912750006 CEST | 80 | 49715 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:05:14.912889004 CEST | 49715 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:14.916404009 CEST | 49715 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:14.922386885 CEST | 80 | 49715 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:05:30.970078945 CEST | 49715 | 80 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:32.048125029 CEST | 49716 | 8080 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:32.053349972 CEST | 8080 | 49716 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:05:32.053436041 CEST | 49716 | 8080 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:32.053575993 CEST | 49716 | 8080 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:32.058679104 CEST | 8080 | 49716 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:05:53.670490980 CEST | 8080 | 49716 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:05:53.670603991 CEST | 49716 | 8080 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:53.670708895 CEST | 49716 | 8080 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:53.672085047 CEST | 8080 | 49716 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:05:53.672153950 CEST | 49716 | 8080 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:53.676449060 CEST | 8080 | 49716 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:05:55.706521988 CEST | 49717 | 8080 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:55.711886883 CEST | 8080 | 49717 | 52.90.110.169 | 192.168.2.5 |
| Jul 25, 2024 11:05:55.712033987 CEST | 49717 | 8080 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:55.712255955 CEST | 49717 | 8080 | 192.168.2.5 | 52.90.110.169 |
| Jul 25, 2024 11:05:55.717221022 CEST | 8080 | 49717 | 52.90.110.169 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 25, 2024 11:04:06.510271072 CEST | 62235 | 53 | 192.168.2.5 | 8.8.8.8 |
| Jul 25, 2024 11:04:06.530945063 CEST | 53 | 62235 | 8.8.8.8 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jul 25, 2024 11:04:06.510271072 CEST | 192.168.2.5 | 8.8.8.8 | 0xe9bb | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jul 25, 2024 11:04:06.530945063 CEST | 8.8.8.8 | 192.168.2.5 | 0xe9bb | No error (0) | 52.90.110.169 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49704 | 52.90.110.169 | 80 | 7180 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:04:06.538738012 CEST | 86 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49712 | 52.90.110.169 | 80 | 7180 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:04:30.128576994 CEST | 258 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49714 | 52.90.110.169 | 80 | 7180 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:04:52.506453991 CEST | 258 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49715 | 52.90.110.169 | 80 | 7180 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:05:14.916404009 CEST | 258 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49717 | 52.90.110.169 | 8080 | 7180 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 25, 2024 11:05:55.712255955 CEST | 263 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 0 | 192.168.2.5 | 49705 | 13.85.23.86 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:04:12 UTC | 306 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49705 | 13.85.23.86 | 443 | 7180 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:04:12 UTC | 560 | IN | |
| 2024-07-25 09:04:12 UTC | 15824 | IN | |
| 2024-07-25 09:04:12 UTC | 8666 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port |
|---|---|---|---|---|
| 2 | 192.168.2.5 | 49713 | 20.12.23.50 | 443 |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:04:49 UTC | 306 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49713 | 20.12.23.50 | 443 | 7180 | C:\Windows\SysWOW64\rundll32.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-07-25 09:04:50 UTC | 560 | IN | |
| 2024-07-25 09:04:50 UTC | 15824 | IN | |
| 2024-07-25 09:04:50 UTC | 14181 | IN |
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:03:52 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\System32\loaddll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe10000 |
| File size: | 126'464 bytes |
| MD5 hash: | 51E6071F9CBA48E79F10C84515AAE618 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 1 |
| Start time: | 05:03:52 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 2 |
| Start time: | 05:03:52 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x790000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 05:03:52 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 05:03:52 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 05:03:55 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 05:03:58 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 8 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 9 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 15 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 16 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 17 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 18 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 19 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 20 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 21 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 22 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 23 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 24 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 25 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 26 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 27 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 28 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 29 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 30 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
| Target ID: | 31 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 32 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 33 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 34 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 35 |
| Start time: | 05:04:03 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 36 |
| Start time: | 05:04:04 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 37 |
| Start time: | 05:04:04 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 38 |
| Start time: | 05:04:04 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 39 |
| Start time: | 05:04:04 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 40 |
| Start time: | 05:04:04 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
| Target ID: | 41 |
| Start time: | 05:04:04 |
| Start date: | 25/07/2024 |
| Path: | C:\Windows\SysWOW64\rundll32.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8f0000 |
| File size: | 61'440 bytes |
| MD5 hash: | 889B99C52A60DD49227C5E485A016679 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 1.6% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 15.2% |
| Total number of Nodes: | 46 |
| Total number of Limit Nodes: | 1 |
Graph
Function 6CE81000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE81880 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE823F0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 28stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE836C0 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE8E2F0 Relevance: 2.7, Strings: 2, Instructions: 245COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE8E308 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE8E32D Relevance: 2.6, Strings: 2, Instructions: 127COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE8E040 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE828E0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE86B50 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE86690 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE891E0 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE82680 Relevance: 7.6, APIs: 5, Instructions: 63fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE9E650 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 8.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 1.3% |
| Total number of Nodes: | 1181 |
| Total number of Limit Nodes: | 116 |
Graph
Function 6CE81000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE96580 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA2DE0 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA2B70 Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE82C90 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 345COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE82830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE83730 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE823F0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 28stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA6E00 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA50B0 Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA6FE0 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA6F60 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA1CA0 Relevance: 1.5, APIs: 1, Instructions: 36networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE8F810 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE96730 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA1AF0 Relevance: 1.5, APIs: 1, Instructions: 34networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA2BE0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE93E70 Relevance: 1.5, APIs: 1, Instructions: 32timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA6D90 Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE96510 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA2D10 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA6E80 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE827C0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA2B00 Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA6CD0 Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA2C50 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA4F90 Relevance: 1.5, APIs: 1, Instructions: 28threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA2CB0 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CEA1C40 Relevance: 1.5, APIs: 1, Instructions: 26networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE9D910 Relevance: 1.5, APIs: 1, Instructions: 26networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE836C0 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE82210 Relevance: 1.3, APIs: 1, Instructions: 26sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE82680 Relevance: 7.6, APIs: 5, Instructions: 63fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CE9E650 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|