Edit tour
Windows
Analysis Report
Set-up.exe
Overview
General Information
| Sample name: | Set-up.exe |
| Analysis ID: | 1503435 |
| MD5: | f6f95571dba7580401d6d48e3d2e4a5b |
| SHA1: | 819ff2a13f2807b1b225dc3353d7783c010c0266 |
| SHA256: | 156f6dd75320e7bcabab6af745b64efe9411f665271c81d7eba67bc04bfaa9bd |
| Tags: | exe |
| Infos: |   |
 | |
Detection
Clipboard Hijacker, Cryptbot
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Set-up.exe (PID: 7488 cmdline: "C:\Users\ user\Deskt op\Set-up. exe" MD5: F6F95571DBA7580401D6D48E3D2E4A5B) - service123.exe (PID: 7992 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\servic e123.exe" MD5: 5F9451036F4A31D47EA2ECDD9805E040) - schtasks.exe (PID: 8116 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /tn "Se rviceData4 " /tr "C:\ Users\user \AppData\L ocal\Temp\ /service12 3.exe" /st 00:01 /du 9800:59 / sc once /r i 1 /f MD5: 48C2FE20575769DE916F48EF0676A965) 
conhost.exe (PID: 8124 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- service123.exe (PID: 8176 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: 5F9451036F4A31D47EA2ECDD9805E040)
- service123.exe (PID: 1388 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: 5F9451036F4A31D47EA2ECDD9805E040)
- service123.exe (PID: 5136 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\/servic e123.exe MD5: 5F9451036F4A31D47EA2ECDD9805E040)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CryptBot | A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. | No Attribution |
{"C2 list": ["twov2vt.top", "analforeverlovyu.top", "+twov2vt.top"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security | ||
| JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_Cryptbot | Yara detected Cryptbot | Joe Security | ||
| JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Clipboard_Hijacker_5 | Yara detected Clipboard Hijacker | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Timestamp: | 2024-09-03T15:14:10.579524+0200 |
| SID: | 2054350 |
| Severity: | 1 |
| Source Port: | 49717 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-09-03T15:14:06.437129+0200 |
| SID: | 2054350 |
| Severity: | 1 |
| Source Port: | 49717 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-09-03T15:14:14.921542+0200 |
| SID: | 2054350 |
| Severity: | 1 |
| Source Port: | 49717 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 6_2_002B15D0 | |
| Source: | Code function: | 6_2_6C9614E0 | |
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 6_2_002B15D0 | |
| Source: | Code function: | 6_2_6C9CACA0 | |
| Source: | Code function: | 6_2_6C9D2CD0 | |
| Source: | Code function: | 6_2_6C9E6DEE | |
| Source: | Code function: | 6_2_6C9E6DEA | |
| Source: | Code function: | 6_2_6C96ED09 | |
| Source: | Code function: | 6_2_6C96EE80 | |
| Source: | Code function: | 6_2_6C96E8E0 | |
| Source: | Code function: | 6_2_6C96285F | |
| Source: | Code function: | 6_2_6C9629BE | |
| Source: | Code function: | 6_2_6C9929D1 | |
| Source: | Code function: | 6_2_6C9929D1 | |
| Source: | Code function: | 6_2_6C9929D1 | |
| Source: | Code function: | 6_2_6C9629FD | |
| Source: | Code function: | 6_2_6C96297F | |
| Source: | Code function: | 6_2_6C96EA97 | |
| Source: | Code function: | 6_2_6C9B2A90 | |
| Source: | Code function: | 6_2_6C9CAA90 | |
| Source: | Code function: | 6_2_6C962AF1 | |
| Source: | Code function: | 6_2_6C9D2AF0 | |
| Source: | Code function: | 6_2_6C96EA31 | |
| Source: | Code function: | 6_2_6C962A3C | |
| Source: | Code function: | 6_2_6C992A7C | |
| Source: | Code function: | 6_2_6C96EB80 | |
| Source: | Code function: | 6_2_6C962BD3 | |
| Source: | Code function: | 6_2_6C992BDC | |
| Source: | Code function: | 6_2_6C962B30 | |
| Source: | Code function: | 6_2_6C992B2C | |
| Source: | Code function: | 6_2_6C962B6F | |
| Source: | Code function: | 6_2_6C96E510 | |
| Source: | Code function: | 6_2_6C96E7B0 | |
| Source: | Code function: | 6_2_6C96E700 | |
| Source: | Code function: | 6_2_6C98E04C | |
| Source: | Code function: | 6_2_6C98E1E0 | |
| Source: | Code function: | 6_2_6C98E2B0 | |
| Source: | Code function: | 6_2_6C98E2B0 | |
| Source: | Code function: | 6_2_6C98E27C | |
| Source: | Code function: | 6_2_6C962390 | |
| Source: | Code function: | 6_2_6C98E3FC | |
| Source: | Code function: | 6_2_6C98E34C | |
| Source: | Code function: | 6_2_6C96BC9F | |
| Source: | Code function: | 6_2_6C96BCB5 | |
| Source: | Code function: | 6_2_6C96BCC7 | |
| Source: | Code function: | 6_2_6C96BC33 | |
| Source: | Code function: | 6_2_6C96BC58 | |
| Source: | Code function: | 6_2_6C96BC7E | |
| Source: | Code function: | 6_2_6C96BDFF | |
| Source: | Code function: | 6_2_6C96BD06 | |
| Source: | Code function: | 6_2_6C96BED2 | |
| Source: | Code function: | 6_2_6C983EF0 | |
| Source: | Code function: | 6_2_6C96F880 | |
| Source: | Code function: | 6_2_6C96B8E0 | |
| Source: | Code function: | 6_2_6C9CF99E | |
| Source: | Code function: | 6_2_6C9CF99A | |
| Source: | Code function: | 6_2_6C96BA80 | |
| Source: | Code function: | 6_2_6C96BAD0 | |
| Source: | Code function: | 6_2_6C98FA50 | |
| Source: | Code function: | 6_2_6C983A40 | |
| Source: | Code function: | 6_2_6C96BBC4 | |
| Source: | Code function: | 6_2_6C96BB7B | |
| Source: | Code function: | 6_2_6C9CF7DE | |
| Source: | Code function: | 6_2_6C9CF7DA | |
| Source: | Code function: | 6_2_6C96B750 | |
| Source: | Code function: | 6_2_6C9DF080 | |
| Source: | Code function: | 6_2_6C983060 | |
| Source: | Code function: | 6_2_6C9D4C00 | |
| Source: | Code function: | 6_2_6C9D4C00 | |
| Source: | Code function: | 6_2_6C9D4C00 | |
| Source: | Code function: | 6_2_6C9D0D3E | |
| Source: | Code function: | 6_2_6C9D0D3A | |
| Source: | Code function: | 6_2_6C9CCFB3 | |
| Source: | Code function: | 6_2_6CA08880 | |
| Source: | Code function: | 6_2_6C96CB40 | |
| Source: | Code function: | 6_2_6C97C730 | |
| Source: | Code function: | 6_2_6C990740 | |
| Source: | Code function: | 6_2_6C984010 | |
| Source: | Code function: | 6_2_6C96C070 | |
| Source: | Code function: | 6_2_6C9D4210 | |
| Source: | Code function: | 6_2_6C96C380 | |
| Source: | Code function: | 6_2_6C98DCCC | |
| Source: | Code function: | 6_2_6C98DC30 | |
| Source: | Code function: | 6_2_6C96DC60 | |
| Source: | Code function: | 6_2_6C98DD9C | |
| Source: | Code function: | 6_2_6C98DD00 | |
| Source: | Code function: | 6_2_6C98DD00 | |
| Source: | Code function: | 6_2_6C96DEE0 | |
| Source: | Code function: | 6_2_6C98DE4C | |
| Source: | Code function: | 6_2_6C98DFB0 | |
| Source: | Code function: | 6_2_6C96D8A0 | |
| Source: | Code function: | 6_2_6C98DA9C | |
| Source: | Code function: | 6_2_6C96DAF0 | |
| Source: | Code function: | 6_2_6C98DA00 | |
| Source: | Code function: | 6_2_6C96DB90 | |
| Source: | Code function: | 6_2_6C96D4C0 | |
| Source: | Code function: | 6_2_6C96D6A8 | |
| Source: | Code function: | 6_2_6C9B1600 | |
| Source: | Code function: | 6_2_6C96D645 | |
| Source: | Code function: | 6_2_6C96D1A0 | |
| Source: | Code function: | 6_2_6C9DD100 | |
| Source: | Code function: | 6_2_6C9DD100 | |
| Source: | Code function: | 6_2_6C9DD100 | |
| Source: | Code function: | 6_2_6C9E513E | |
| Source: | Code function: | 6_2_6C9E513A | |
| Source: | Code function: | 6_2_6C96D3A0 | |
| Source: | Code function: | 6_2_6C9D5300 | |
| Source: | Code function: | 6_2_6C9D5300 | |
| Source: | Code function: | 6_2_6C9D5300 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 6_2_6C97ADA0 | |
| Source: | Code function: | 6_2_6C97ADA0 | |
| Source: | Code function: | 6_2_6C97B0D0 | |
System Summary | |
|---|
| Source: | File dump: | Jump to dropped file | ||
| Source: | Code function: | 6_2_002B3E80 | |
| Source: | Code function: | 6_2_002B5140 | |
| Source: | Code function: | 6_2_6C96EE80 | |
| Source: | Code function: | 6_2_6C976B10 | |
| Source: | Code function: | 6_2_6C9B2080 | |
| Source: | Code function: | 6_2_6C9BE050 | |
| Source: | Code function: | 6_2_6C96FDC0 | |
| Source: | Code function: | 6_2_6C963D20 | |
| Source: | Code function: | 6_2_6C9738B0 | |
| Source: | Code function: | 6_2_6C963580 | |
| Source: | Code function: | 6_2_6C9C32F0 | |
| Source: | Code function: | 6_2_6C9A4EF3 | |
| Source: | Code function: | 6_2_6C970F20 | |
| Source: | Code function: | 6_2_6C9B0BF0 | |
| Source: | Code function: | 6_2_6C96CB40 | |
| Source: | Code function: | 6_2_6C9C4040 | |
| Source: | Code function: | 6_2_6C9A42A5 | |
| Source: | Code function: | 6_2_6C978260 | |
| Source: | Code function: | 6_2_6C9A5CB0 | |
| Source: | Code function: | 6_2_6C9C5E20 | |
| Source: | Code function: | 6_2_6C975850 | |
| Source: | Code function: | 6_2_6C9A9B10 | |
| Source: | Code function: | 6_2_6C969790 | |
| Source: | Code function: | 6_2_6C9C50C0 | |
| Source: | Code function: | 6_2_6C9951E0 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 6_2_002B14F0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 6_2_002BA614 | |
| Source: | Code function: | 6_2_002BB171 | |
| Source: | Code function: | 6_2_002BA614 | |
| Source: | Code function: | 6_2_6CA3E4E1 | |
| Source: | Code function: | 6_2_6C9C6D11 | |
| Source: | Code function: | 6_2_6CA3E4E1 | |
| Source: | Code function: | 6_2_6C9DEE15 | |
| Source: | Code function: | 6_2_6CA3E4E1 | |
| Source: | Code function: | 6_2_6C9E3134 | |
| Source: | Code function: | 6_2_6C9E3153 | |
| Source: | Code function: | 6_2_6C9C6E3B | |
| Source: | Code function: | 6_2_6C9F7372 | |
| Source: | Code function: | 6_2_6C9DF06D | |
| Source: | Code function: | 6_2_6CA3E4E1 | |
| Source: | Code function: | 6_2_6CA3E4E1 | |
| Source: | Code function: | 6_2_6CA3E4E1 | |
| Source: | Code function: | 6_2_6C9DE815 | |
| Source: | Code function: | 6_2_6C9E2B64 | |
| Source: | Code function: | 6_2_6C9E2B83 | |
| Source: | Code function: | 6_2_6C9B2AA4 | |
| Source: | Code function: | 6_2_6C9C6B3A | |
| Source: | Code function: | 6_2_6C9C6B3A | |
| Source: | Code function: | 6_2_6C9DEB70 | |
| Source: | Code function: | 6_2_6C9E2B64 | |
| Source: | Code function: | 6_2_6C9E2B83 | |
| Source: | Code function: | 6_2_6C9E2B83 | |
| Source: | Code function: | 6_2_6C9E2B64 | |
| Source: | Code function: | 6_2_6C9E2B83 | |
| Source: | Code function: | 6_2_6CA3E4E1 | |
| Source: | Code function: | 6_2_6C9B64ED | |
| Source: | Code function: | 6_2_6CA3E4E1 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival | |
|---|
| Source: | Process created: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_6-185349 | ||
| Source: | Registry key queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 6_2_002B14F0 | |
| Source: | Code function: | 6_2_002B117C | |
| Source: | Code function: | 6_2_002B1170 | |
| Source: | Code function: | 6_2_002B11B3 | |
| Source: | Code function: | 6_2_002B13D1 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 6_2_6C9E8AF0 | |
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 Scheduled Task/Job | 11 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 11 Security Software Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Scheduled Task/Job | 1 DLL Side-Loading | 1 Scheduled Task/Job | 2 Virtualization/Sandbox Evasion | LSASS Memory | 2 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 2 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 11 Native API | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 112 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 22 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 42% | ReversingLabs | Win32.Trojan.CryptBot |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| twov2vt.top | 195.133.48.136 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 195.133.48.136 | twov2vt.top | Russian Federation | 48347 | MTW-ASRU | true |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1503435 |
| Start date and time: | 2024-09-03 15:13:08 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 17s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 15 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Set-up.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@9/2@1/1 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, UsoClient.exe
- Excluded IPs from analysis (whitelisted): 72.247.153.178, 72.247.153.162
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
- Execution Graph export aborted for target Set-up.exe, PID 7488 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: Set-up.exe
| Time | Type | Description |
|---|---|---|
| 09:14:05 | API Interceptor | |
| 09:15:27 | API Interceptor | |
| 14:14:55 | Task Scheduler |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 195.133.48.136 | Get hash | malicious | Amadey, AsyncRAT, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, Stealc | Browse |
| |
| Get hash | malicious | Cryptbot | Browse |
| ||
| Get hash | malicious | Cryptbot | Browse |
| ||
| Get hash | malicious | Cryptbot | Browse |
| ||
| Get hash | malicious | Cryptbot | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Cryptbot, PureLog Stealer, RedLine, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Cryptbot | Browse |
| ||
| Get hash | malicious | Cryptbot | Browse |
| ||
| Get hash | malicious | Amadey, Cryptbot, PureLog Stealer, RedLine, Stealc, zgRAT | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| MTW-ASRU | Get hash | malicious | LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Amadey, AsyncRAT, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, Stealc | Browse |
| ||
| Get hash | malicious | Cryptbot | Browse |
| ||
| Get hash | malicious | Cryptbot | Browse |
| ||
| Get hash | malicious | Cryptbot | Browse |
| ||
| Get hash | malicious | Cryptbot | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Cryptbot, PureLog Stealer, RedLine, SmokeLoader, Stealc | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, Cryptbot, PureLog Stealer, RedLine, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\Set-up.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 315835392 |
| Entropy (8bit): | 0.05575080078946029 |
| Encrypted: | false |
| SSDEEP: | 24576:eTEpAuFQDK4j2jWSibsrm+eZJlMmI/FX6Ls6DC1C84OA:eTExvibsruAmI/FKLs/ |
| MD5: | 7025804CC152ADD9E51A014B948CBD21 |
| SHA1: | 996018AA52AE96F64926590A94264643961C470E |
| SHA-256: | 3BD7940663399F79FF6B5A2685D4F2AFDF3F97D1AAC76D729C1FBDA3A8E8F914 |
| SHA-512: | 662D290218611CA6CEA496C733D04F1F0EA66869EA1D32CB28F7CCE4E38E448A69E814E9FABEE1134657CCBDFB3AECB2669878AC97A117EE26032A6B8DF84109 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\Set-up.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 314613760 |
| Entropy (8bit): | 0.0021535533000963834 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 5F9451036F4A31D47EA2ECDD9805E040 |
| SHA1: | D0E376956D7EDAA46B7A24CB391C5265F64DD103 |
| SHA-256: | B59168F5F3E22ACB6B0E6305C189576BA7B2D275D6CB12847C9366FA2E3C545D |
| SHA-512: | 3C688E061D085DB79EB4E14C45B3D821E56BED3BCBA12DA6B43EBFE853EBF509B24EABEC41124D5AD3503CC9842F73E001E86708C4E36F110AD9877A8EB87BE5 |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.6301667417684875 |
| TrID: |
|
| File name: | Set-up.exe |
| File size: | 6'616'665 bytes |
| MD5: | f6f95571dba7580401d6d48e3d2e4a5b |
| SHA1: | 819ff2a13f2807b1b225dc3353d7783c010c0266 |
| SHA256: | 156f6dd75320e7bcabab6af745b64efe9411f665271c81d7eba67bc04bfaa9bd |
| SHA512: | e4dfbb7d841d3adfe41dca95c97f62c5052952d0342c9a6d410f5dd3f681818dd7d8455ebd469c82b2a3abba42a344147f18a6ccea53884d45dae2a9c227785e |
| SSDEEP: | 49152:kS68XosrSxzpNEKvZS4blk4utCygRnXAAcCtdqP0eYfaCIWJB4Kt6VYrisPaVlU1:l9SHa4blIUdRN7yNEdp7V5WvAkm |
| TLSH: | BB66183A9A4355C8C13FA57ADC937F3FF4286AD843A9491BAC0508FCA755391E8AD313 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..^.7%.........#..G.. Z...f...........G...@..........................P........e....... .........................B.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x4014b0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x66D69F00 [Tue Sep 3 05:30:40 2024 UTC] |
| TLS Callbacks: | 0x86d6a0, 0x86d650 |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 92a00f4d0a4448266e9c638fdb1341b9 |
| Instruction |
|---|
| mov dword ptr [00F2E6ACh], 00000001h |
| jmp 00007F926CB0B576h |
| nop |
| mov dword ptr [00F2E6ACh], 00000000h |
| jmp 00007F926CB0B566h |
| nop |
| sub esp, 1Ch |
| mov eax, dword ptr [esp+20h] |
| mov dword ptr [esp], eax |
| call 00007F926CF850EEh |
| test eax, eax |
| sete al |
| add esp, 1Ch |
| movzx eax, al |
| neg eax |
| ret |
| nop |
| nop |
| nop |
| push ebp |
| mov ebp, esp |
| push edi |
| push esi |
| push ebx |
| sub esp, 1Ch |
| mov dword ptr [esp], 0087E000h |
| call dword ptr [00F311F0h] |
| sub esp, 04h |
| test eax, eax |
| je 00007F926CB0B935h |
| mov ebx, eax |
| mov dword ptr [esp], 0087E000h |
| call dword ptr [00F31210h] |
| mov edi, dword ptr [00F311F8h] |
| sub esp, 04h |
| mov dword ptr [008C1028h], eax |
| mov dword ptr [esp+04h], 0087E013h |
| mov dword ptr [esp], ebx |
| call edi |
| sub esp, 08h |
| mov esi, eax |
| mov dword ptr [esp+04h], 0087E029h |
| mov dword ptr [esp], ebx |
| call edi |
| mov dword ptr [0087C004h], eax |
| sub esp, 08h |
| test esi, esi |
| je 00007F926CB0B8D3h |
| mov dword ptr [esp+04h], 008C102Ch |
| mov dword ptr [esp], 00888000h |
| call esi |
| mov dword ptr [esp], 004015A0h |
| call 00007F926CB0B823h |
| lea esp, dword ptr [ebp-0Ch] |
| pop ebx |
| pop esi |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0xb30000 | 0x42 | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb31000 | 0x9e4 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xb34000 | 0xe21ec | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x486b94 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xb311e0 | 0x190 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x47ab84 | 0x47ac00 | c5aabe6a37ae576377e02b14b06916d0 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x47c000 | 0x1528 | 0x1600 | 025e7dff77a4c3ebca06f29a3239e72a | False | 0.6052911931818182 | dBase III DBT, version number 0, next free block index 10, 1st item "\264\307@" | 5.623014617365603 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x47e000 | 0x9db8 | 0x9e00 | 8bdb14644f5162a0ec865f3266afa7a7 | False | 0.3778926028481013 | data | 4.392731868222294 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| /4 | 0x488000 | 0x38c30 | 0x38e00 | 8926bb9d3ce62b79db2aaff314ad42e1 | False | 0.24520089285714286 | data | 5.0880059380327785 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0x4c1000 | 0x66e1b4 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0xb30000 | 0x42 | 0x200 | f837296183fee715849227e09b510b8d | False | 0.119140625 | data | 0.6224141951479871 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .idata | 0xb31000 | 0x9e4 | 0xa00 | 936013f03c6a831737390e9e43c3aaf7 | False | 0.4296875 | data | 5.104216554048779 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .CRT | 0xb32000 | 0x34 | 0x200 | aa3da3aa0b3f1cee9371a66afb5d8276 | False | 0.0703125 | Matlab v4 mat-file (little endian) 0\326\206, numeric, rows 4198704, columns 0 | 0.27502052800628285 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0xb33000 | 0x8 | 0x200 | bf619eac0cdf3f68d496ea9344137e8b | False | 0.02734375 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0xb34000 | 0xe21ec | 0xe2200 | 1338c146d849914476a67bf1ac08059c | False | 0.04476532269209508 | data | 6.841280104268188 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /14 | 0xc17000 | 0x690 | 0x800 | b31ba2598231133956a6f2e8184b7942 | False | 0.2666015625 | Matlab v4 mat-file (little endian) \355\004, rows 2, columns 262144 | 2.1676706987920165 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /29 | 0xc18000 | 0x1a7c4 | 0x1a800 | a8989922ba1711d72c8b66c0bdf99ff2 | False | 0.42386497641509435 | data | 6.074243231196206 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /41 | 0xc33000 | 0x4c58 | 0x4e00 | c272f07e704eb90e2b6c4c9bad844e11 | False | 0.1761318108974359 | data | 4.711442500030027 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /55 | 0xc38000 | 0xe342 | 0xe400 | f5f3952ee29930a0d35ee375b2a5e533 | False | 0.47647683662280704 | data | 5.285904658984095 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /67 | 0xc47000 | 0x1d54 | 0x1e00 | e22a721063d4b3af9fba9033fc511668 | False | 0.334375 | data | 4.88397386492299 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /80 | 0xc49000 | 0x961 | 0xa00 | 9109961d3d1231997c8aa80b9ef91e44 | False | 0.381640625 | data | 4.6390012281106685 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /91 | 0xc4a000 | 0x18b05 | 0x18c00 | 5b286364f5137777febcfe2f5ec8b660 | False | 0.3387192234848485 | data | 4.1602779339325675 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| /102 | 0xc63000 | 0x11c0 | 0x1200 | acb9037b7b793eae32ab82637f1d257e | False | 0.3736979166666667 | Matlab v4 mat-file (little endian) \360, rows 16, columns 19, imaginary | 3.383708098291067 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetTempPathA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA |
| msvcrt.dll | __getmainargs, __initenv, __lconv_init, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, puts, realloc, remove, setlocale, signal, strchr, strcmp, strcpy, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _utime, _fileno, _chmod |
| SHELL32.dll | ShellExecuteA |
| Name | Ordinal | Address |
|---|---|---|
| main | 1 | 0x416284 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Signature | Severity | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|---|
| 2024-09-03T15:14:10.579524+0200 | TCP | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| 2024-09-03T15:14:06.437129+0200 | TCP | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| 2024-09-03T15:14:14.921542+0200 | TCP | 2054350 | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 | 1 | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 3, 2024 15:14:05.676539898 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:05.681492090 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:05.681587934 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:05.681747913 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:05.681771994 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:05.686614037 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:05.686635971 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:06.384628057 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:06.437129021 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.569052935 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.569334984 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.573852062 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.574111938 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.574161053 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.574310064 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.574320078 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.574366093 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.574371099 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.574379921 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.574426889 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.574440002 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.574448109 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.574454069 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.574485064 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.574506998 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.574522018 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.574527979 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.574563980 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.578949928 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579004049 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.579040051 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579081059 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579085112 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.579114914 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.579220057 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579229116 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579269886 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.579279900 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579324961 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.579329967 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579371929 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.579375029 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579415083 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579416990 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.579471111 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.579480886 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579520941 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579524040 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.579580069 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.579631090 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.579675913 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.583930016 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.583971024 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.583998919 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.584022045 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:10.584038019 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584141016 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584202051 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584256887 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584321022 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584355116 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584420919 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584537029 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584660053 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584682941 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584697962 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584813118 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584824085 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584860086 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584872007 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584928989 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584937096 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584961891 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.584979057 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.585061073 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.585068941 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.585102081 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.585110903 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.585161924 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.585170984 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.588984013 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.589004040 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.589070082 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.589111090 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.589179993 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:10.589191914 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:11.036412954 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:11.077769995 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:14.345529079 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:14.345635891 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:14.350496054 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350524902 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350775957 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350785971 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350794077 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350804090 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350814104 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350822926 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350831985 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350845098 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350855112 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350863934 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350879908 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.350888968 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351119041 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351129055 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351138115 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351146936 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351155996 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351165056 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351172924 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351181984 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351190090 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351198912 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351411104 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.351449966 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.871783972 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:14.921541929 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:44.871238947 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Sep 3, 2024 15:14:44.871373892 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:44.871473074 CEST | 49717 | 80 | 192.168.2.9 | 195.133.48.136 |
| Sep 3, 2024 15:14:44.876316071 CEST | 80 | 49717 | 195.133.48.136 | 192.168.2.9 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Sep 3, 2024 15:14:05.142376900 CEST | 59357 | 53 | 192.168.2.9 | 1.1.1.1 |
| Sep 3, 2024 15:14:05.670464039 CEST | 53 | 59357 | 1.1.1.1 | 192.168.2.9 |
| Sep 3, 2024 15:14:15.678904057 CEST | 53 | 61718 | 1.1.1.1 | 192.168.2.9 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Sep 3, 2024 15:14:05.142376900 CEST | 192.168.2.9 | 1.1.1.1 | 0xb3e5 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Sep 3, 2024 15:14:05.670464039 CEST | 1.1.1.1 | 192.168.2.9 | 0xb3e5 | No error (0) | 195.133.48.136 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.9 | 49717 | 195.133.48.136 | 80 | 7488 | C:\Users\user\Desktop\Set-up.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Sep 3, 2024 15:14:05.681747913 CEST | 330 | OUT | |
| Sep 3, 2024 15:14:05.681771994 CEST | 411 | OUT | |
| Sep 3, 2024 15:14:06.384628057 CEST | 190 | IN | |
| Sep 3, 2024 15:14:10.569052935 CEST | 332 | OUT | |
| Sep 3, 2024 15:14:10.569334984 CEST | 12360 | OUT | |
| Sep 3, 2024 15:14:10.574161053 CEST | 2472 | OUT | |
| Sep 3, 2024 15:14:10.574366093 CEST | 4944 | OUT | |
| Sep 3, 2024 15:14:10.574426889 CEST | 4944 | OUT | |
| Sep 3, 2024 15:14:10.574506998 CEST | 7416 | OUT | |
| Sep 3, 2024 15:14:10.574522018 CEST | 2472 | OUT | |
| Sep 3, 2024 15:14:10.574563980 CEST | 2472 | OUT | |
| Sep 3, 2024 15:14:10.579004049 CEST | 2472 | OUT | |
| Sep 3, 2024 15:14:10.579085112 CEST | 2472 | OUT | |
| Sep 3, 2024 15:14:11.036412954 CEST | 190 | IN | |
| Sep 3, 2024 15:14:14.345529079 CEST | 332 | OUT | |
| Sep 3, 2024 15:14:14.871783972 CEST | 190 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 1 |
| Start time: | 09:13:56 |
| Start date: | 03/09/2024 |
| Path: | C:\Users\user\Desktop\Set-up.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 6'616'665 bytes |
| MD5 hash: | F6F95571DBA7580401D6D48E3D2E4A5B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 09:14:53 |
| Start date: | 03/09/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2b0000 |
| File size: | 314'613'760 bytes |
| MD5 hash: | 5F9451036F4A31D47EA2ECDD9805E040 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 9 |
| Start time: | 09:14:53 |
| Start date: | 03/09/2024 |
| Path: | C:\Windows\SysWOW64\schtasks.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x90000 |
| File size: | 187'904 bytes |
| MD5 hash: | 48C2FE20575769DE916F48EF0676A965 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 10 |
| Start time: | 09:14:53 |
| Start date: | 03/09/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70f010000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 11 |
| Start time: | 09:14:57 |
| Start date: | 03/09/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2b0000 |
| File size: | 314'613'760 bytes |
| MD5 hash: | 5F9451036F4A31D47EA2ECDD9805E040 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 12 |
| Start time: | 09:15:02 |
| Start date: | 03/09/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2b0000 |
| File size: | 314'613'760 bytes |
| MD5 hash: | 5F9451036F4A31D47EA2ECDD9805E040 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 14 |
| Start time: | 09:16:01 |
| Start date: | 03/09/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\service123.exe |
| Wow64 process (32bit): | |
| Commandline: | |
| Imagebase: | |
| File size: | 314'613'760 bytes |
| MD5 hash: | 5F9451036F4A31D47EA2ECDD9805E040 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 0.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 44.3% |
| Total number of Nodes: | 140 |
| Total number of Limit Nodes: | 7 |
Graph
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97ADA0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 196sleepsynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B8320 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B12A6 Relevance: 5.1, APIs: 4, Instructions: 79stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B13C3 Relevance: 5.1, APIs: 4, Instructions: 65stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97C950 Relevance: 1.4, APIs: 1, Instructions: 157COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97CAC0 Relevance: 1.4, APIs: 1, Instructions: 108COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C962390 Relevance: 38.0, APIs: 25, Instructions: 466COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96B750 Relevance: 37.7, APIs: 25, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96285F Relevance: 37.6, APIs: 25, Instructions: 112COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C962BD3 Relevance: 37.6, APIs: 25, Instructions: 84COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C962AF1 Relevance: 37.6, APIs: 25, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9629FD Relevance: 37.6, APIs: 25, Instructions: 78COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96297F Relevance: 37.6, APIs: 25, Instructions: 73COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9629BE Relevance: 37.6, APIs: 25, Instructions: 70COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C962B6F Relevance: 37.6, APIs: 25, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C962A3C Relevance: 37.6, APIs: 25, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C962B30 Relevance: 37.6, APIs: 25, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BA80 Relevance: 34.6, APIs: 23, Instructions: 110COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BBC4 Relevance: 34.6, APIs: 23, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BAD0 Relevance: 33.1, APIs: 22, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BDFF Relevance: 33.1, APIs: 22, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BB7B Relevance: 33.1, APIs: 22, Instructions: 62COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BED2 Relevance: 33.1, APIs: 22, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BD06 Relevance: 33.0, APIs: 22, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BC33 Relevance: 33.0, APIs: 22, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BC58 Relevance: 33.0, APIs: 22, Instructions: 40COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BC7E Relevance: 33.0, APIs: 22, Instructions: 40COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BC9F Relevance: 33.0, APIs: 22, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BCC7 Relevance: 33.0, APIs: 22, Instructions: 36COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96BCB5 Relevance: 33.0, APIs: 22, Instructions: 35COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96C380 Relevance: 28.6, APIs: 19, Instructions: 148COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96D3A0 Relevance: 24.1, APIs: 16, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96D4C0 Relevance: 22.6, APIs: 15, Instructions: 127COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C970F20 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1586stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96FDC0 Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 659stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96D645 Relevance: 21.0, APIs: 14, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96D6A8 Relevance: 19.5, APIs: 13, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96D8A0 Relevance: 18.1, APIs: 12, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96DAF0 Relevance: 16.6, APIs: 11, Instructions: 68COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96DB90 Relevance: 15.1, APIs: 10, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9E8AF0 Relevance: 13.9, Strings: 11, Instructions: 136COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B14F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96DEE0 Relevance: 12.1, APIs: 8, Instructions: 91COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C969790 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 336stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C984010 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 214stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98FA50 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 198stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9929D1 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 196stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96E510 Relevance: 10.6, APIs: 7, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96E700 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C978260 Relevance: 8.2, APIs: 5, Instructions: 664COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96EE80 Relevance: 8.0, APIs: 5, Instructions: 483COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B3E80 Relevance: 7.9, Strings: 6, Instructions: 424COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C975850 Relevance: 7.9, Strings: 6, Instructions: 424COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98E2B0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98DD00 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96E7B0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96E8E0 Relevance: 6.2, APIs: 4, Instructions: 180COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96EA97 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96EA31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96EB80 Relevance: 4.7, APIs: 3, Instructions: 200COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9D4210 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 76stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98DFB0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 66stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98DA00 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 66stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98E1E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 61stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98DC30 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 61stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96ED09 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C992A7C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C992B2C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98E34C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98DD9C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C963580 Relevance: 2.9, Strings: 2, Instructions: 398COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C983EF0 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C990740 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9A4EF3 Relevance: 2.2, APIs: 1, Instructions: 923COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9A5CB0 Relevance: 2.2, APIs: 1, Instructions: 907COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9C5E20 Relevance: 2.1, Strings: 1, Instructions: 874COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9C50C0 Relevance: 2.1, Strings: 1, Instructions: 873COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9A42A5 Relevance: 2.1, APIs: 1, Instructions: 816COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9A9B10 Relevance: 1.9, APIs: 1, Instructions: 665COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C963D20 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9951E0 Relevance: 1.6, APIs: 1, Instructions: 357COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9BE050 Relevance: 1.6, APIs: 1, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9738B0 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9DF080 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C983A40 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C992BDC Relevance: 1.3, Strings: 1, Instructions: 14COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98E04C Relevance: 1.3, Strings: 1, Instructions: 14COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98DA9C Relevance: 1.3, Strings: 1, Instructions: 14COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98E27C Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98E3FC Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98DCCC Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98DE4C Relevance: 1.3, Strings: 1, Instructions: 10COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9B2080 Relevance: .7, Instructions: 670COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9B0BF0 Relevance: .7, Instructions: 669COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9B1600 Relevance: .2, Instructions: 180COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9B2A90 Relevance: .2, Instructions: 178COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97B0D0 Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9CF99A Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9CF7DA Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9CF7DE Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9CCFB3 Relevance: .0, Instructions: 50COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9E6DEA Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9D0D3A Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9E6DEE Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9D0D3E Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9E513A Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9E513E Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9CF99E Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97C730 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97F800 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B1970 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96A570 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97ABD1 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 33libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C961400 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98AED0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 243stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B1E20 Relevance: 12.1, APIs: 8, Instructions: 90COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C98B240 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 185stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96E300 Relevance: 10.6, APIs: 7, Instructions: 120synchronizationCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B8000 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97ACC0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CA1EDB8 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 305stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97C5D0 Relevance: 9.2, APIs: 6, Instructions: 153COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C961020 Relevance: 9.1, APIs: 6, Instructions: 108sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C985920 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C985680 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C969B53 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 177stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C969B0B Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 172stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CA2ED80 Relevance: 7.6, APIs: 5, Instructions: 78stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CA2EEA0 Relevance: 7.6, APIs: 5, Instructions: 75stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CA2EFC0 Relevance: 7.6, APIs: 5, Instructions: 71stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CA2FD10 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97A840 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C981500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B7FB8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97AC78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97AC23 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C971D23 Relevance: 6.4, APIs: 4, Instructions: 415COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96A220 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C971C18 Relevance: 6.3, APIs: 4, Instructions: 276COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B78E0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C97A470 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C992DD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 88stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B1001 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9F6E50 Relevance: 5.4, APIs: 4, Instructions: 412stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9F65D0 Relevance: 5.4, APIs: 4, Instructions: 412stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9F5CF0 Relevance: 5.4, APIs: 4, Instructions: 391stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9F5410 Relevance: 5.4, APIs: 4, Instructions: 391stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C9E8D21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B69E0 Relevance: 5.1, APIs: 4, Instructions: 55sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C979230 Relevance: 5.1, APIs: 4, Instructions: 55sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 002B1FD0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C96A9B0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|