Windows
Analysis Report
build.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- build.exe (PID: 7040 cmdline:
"C:\Users\ user\Deskt op\build.e xe" MD5: 76A22609F559DB1A73201B95A09053E7) - conhost.exe (PID: 7056 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - explorer.exe (PID: 6360 cmdline:
"C:\Window s\explorer .exe" MD5: 662F4F92FDE3557E86D110526BB578D5) - cvtres.exe (PID: 6316 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\cvt res.exe" D efault 193 .142.146.6 4 2015 VOe rOCQof MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
- explorer.exe (PID: 2472 cmdline:
C:\Windows \explorer. exe /NoUAC Check MD5: 662F4F92FDE3557E86D110526BB578D5)
- explorer.exe (PID: 4940 cmdline:
C:\Windows \explorer. exe /NoUAC Check MD5: 662F4F92FDE3557E86D110526BB578D5)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira: |
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_009D2AE0 | |
Source: | Code function: | 0_2_009D64E8 |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | DNS query: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 0_2_009D2F70 |
System Summary |
---|
Source: | Large array initialization: | ||
Source: | Large array initialization: | ||
Source: | Large array initialization: |
Source: | Code function: | 0_2_009D0848 | |
Source: | Code function: | 0_2_009D3409 | |
Source: | Code function: | 0_2_009D07A9 | |
Source: | Code function: | 0_2_009D07E8 | |
Source: | Code function: | 3_2_026C62A3 | |
Source: | Code function: | 3_2_026C984B | |
Source: | Code function: | 3_2_026C9858 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Data Obfuscation |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Static PE information: |
Source: | Code function: | 3_2_026C0D61 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Key value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Code function: | 0_2_009D68A2 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: |
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 Create Account | 312 Process Injection | 1 Masquerading | OS Credential Dumping | 11 Security Software Discovery | Remote Services | 11 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 Registry Run Keys / Startup Folder | 1 Registry Run Keys / Startup Folder | 1 Disable or Modify Tools | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | Security Account Manager | 31 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 312 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 System Network Configuration Discovery | SSH | Keylogging | 2 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 31 Obfuscated Files or Information | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 12 Software Packing | DCSync | 12 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 Timestomp | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 1 DLL Side-Loading | /etc/passwd and /etc/shadow | Network Sniffing | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
74% | ReversingLabs | ByteCode-MSIL.Backdoor.Xhvnc | ||
100% | Avira | TR/Dropper.Gen | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/Dropper.Gen | ||
100% | Joe Sandbox ML | |||
74% | ReversingLabs | ByteCode-MSIL.Backdoor.Xhvnc |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
ipinfo.io | 34.117.59.81 | true | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false |
| unknown | ||
false | unknown | |||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
193.142.146.64 | unknown | Netherlands | 208046 | HOSTSLICK-GERMANYNL | false | |
34.117.59.81 | ipinfo.io | United States | 139070 | GOOGLE-AS-APGoogleAsiaPacificPteLtdSG | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1526421 |
Start date and time: | 2024-10-05 16:37:04 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 5s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 11 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | build.exe |
Detection: | MAL |
Classification: | mal100.evad.winEXE@8/3@1/2 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target cvtres.exe, PID 6316 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- VT rate limit hit for: build.exe
Time | Type | Description |
---|---|---|
10:38:03 | API Interceptor | |
15:38:02 | Task Scheduler |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
193.142.146.64 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
34.117.59.81 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ipinfo.io | Get hash | malicious | PrivateLoader, Stealc, Vidar | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
HOSTSLICK-GERMANYNL | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG | Get hash | malicious | Phisher | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | PrivateLoader, Stealc, Vidar | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig | Browse |
|
Process: | C:\Users\user\Desktop\build.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 617 |
Entropy (8bit): | 5.3554278163807965 |
Encrypted: | false |
SSDEEP: | 12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKharkvoDLI4MWuCv:MLU84qpE4KlKDE4KhKiKhIE4Ks |
MD5: | 8378C2E2DA2FDD2FB813AA6E18705667 |
SHA1: | EFA4CF7D0E19099EB95C3BCA32F6A5D111BFFF30 |
SHA-256: | C12EA9B40BA290B624BB2DDAFD4CB2CDC1C05AE1F5F142899D53CF9C54DFFA06 |
SHA-512: | 69C0E61617DFD6F843ECBA8D9328D6737BADAFB622236D3AC79E03590AFAFC5523E10D5E52AD8ACABD71EF9F4B202A654A386E1DF799CC9219CA4678145CDFDD |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\build.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 37376 |
Entropy (8bit): | 7.1308990174588125 |
Encrypted: | false |
SSDEEP: | 768:m10OhbWGFX9QY2A8ZaTJeXARCaib2Fgc44dxSi59J8:m1j7eYiZK1Lib2WGbSi59y |
MD5: | 76A22609F559DB1A73201B95A09053E7 |
SHA1: | 56D1D8DA4E5CEA24045CFADC46DF0D01BE4F161C |
SHA-256: | B39FC625927448FA634BF0241A8EABD228D9ACFFB3E66E1091EB1A7CB3F9D719 |
SHA-512: | 1E334D876B6EE6E1DB1D8E7C4587F33096FB2476AD755E5D9C7329D00C4C9A35010B09912B85342811CEFB612E80B540548F4FD21126E49D86C13CA4468E48FF |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10 |
Entropy (8bit): | 2.446439344671015 |
Encrypted: | false |
SSDEEP: | 3:MKV/z:MKBz |
MD5: | E27D47991851642F9EDCBA5827441DD5 |
SHA1: | D2D3C1B59CDE8CA587E7AF6AA565D0B3A6AD69AB |
SHA-256: | 0736DC7C3FEFD085EC17D24EF7BE290E4447B87A1196397DD3203D7C19EEACED |
SHA-512: | BEA4525CFC84C6C666628810723D2A28A2184AEC4F16F8F189425A2D669F62B5F89B00B5035D3B38A94629CF5B0EA5F3A4FD2B224A69C19B4450636AE9989205 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 7.1308990174588125 |
TrID: |
|
File name: | build.exe |
File size: | 37'376 bytes |
MD5: | 76a22609f559db1a73201b95a09053e7 |
SHA1: | 56d1d8da4e5cea24045cfadc46df0d01be4f161c |
SHA256: | b39fc625927448fa634bf0241a8eabd228d9acffb3e66e1091eb1a7cb3f9d719 |
SHA512: | 1e334d876b6ee6e1db1d8e7c4587f33096fb2476ad755e5d9c7329d00c4c9a35010b09912b85342811cefb612e80b540548f4fd21126e49d86c13ca4468e48ff |
SSDEEP: | 768:m10OhbWGFX9QY2A8ZaTJeXARCaib2Fgc44dxSi59J8:m1j7eYiZK1Lib2WGbSi59y |
TLSH: | 49F2C01463ED9E46E56D0DB84FF38A008BF0E6D11963E74F28C48089D7A37694AA17B6 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................................`................................ |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x40a6ee |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0xC09B1206 [Wed May 25 07:49:26 2072 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xa6a0 | 0x4b | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc000 | 0x57c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xe000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xa684 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x86f4 | 0x8800 | d0c9073e4bde4f13ccd64a67e418df2f | False | 0.8003791360294118 | data | 7.321757044315469 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0xc000 | 0x57c | 0x600 | a97a34508c12d857871a91f00cd2479f | False | 0.4075520833333333 | data | 3.9774317822717205 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xe000 | 0xc | 0x200 | 81416023e10a096458e5fbc41a4bf984 | False | 0.044921875 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0xc090 | 0x2ec | data | 0.4344919786096257 | ||
RT_MANIFEST | 0xc38c | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5489795918367347 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 5, 2024 16:38:02.442990065 CEST | 49730 | 2015 | 192.168.2.4 | 193.142.146.64 |
Oct 5, 2024 16:38:02.448379993 CEST | 2015 | 49730 | 193.142.146.64 | 192.168.2.4 |
Oct 5, 2024 16:38:02.448492050 CEST | 49730 | 2015 | 192.168.2.4 | 193.142.146.64 |
Oct 5, 2024 16:38:03.349845886 CEST | 49731 | 80 | 192.168.2.4 | 34.117.59.81 |
Oct 5, 2024 16:38:03.354971886 CEST | 80 | 49731 | 34.117.59.81 | 192.168.2.4 |
Oct 5, 2024 16:38:03.355037928 CEST | 49731 | 80 | 192.168.2.4 | 34.117.59.81 |
Oct 5, 2024 16:38:03.356287956 CEST | 49731 | 80 | 192.168.2.4 | 34.117.59.81 |
Oct 5, 2024 16:38:03.361126900 CEST | 80 | 49731 | 34.117.59.81 | 192.168.2.4 |
Oct 5, 2024 16:38:03.839647055 CEST | 80 | 49731 | 34.117.59.81 | 192.168.2.4 |
Oct 5, 2024 16:38:03.887738943 CEST | 49730 | 2015 | 192.168.2.4 | 193.142.146.64 |
Oct 5, 2024 16:38:03.893629074 CEST | 49731 | 80 | 192.168.2.4 | 34.117.59.81 |
Oct 5, 2024 16:38:03.894247055 CEST | 2015 | 49730 | 193.142.146.64 | 192.168.2.4 |
Oct 5, 2024 16:38:03.894311905 CEST | 49730 | 2015 | 192.168.2.4 | 193.142.146.64 |
Oct 5, 2024 16:38:03.900902033 CEST | 2015 | 49730 | 193.142.146.64 | 192.168.2.4 |
Oct 5, 2024 16:39:43.848033905 CEST | 49731 | 80 | 192.168.2.4 | 34.117.59.81 |
Oct 5, 2024 16:39:43.853061914 CEST | 80 | 49731 | 34.117.59.81 | 192.168.2.4 |
Oct 5, 2024 16:39:43.853146076 CEST | 49731 | 80 | 192.168.2.4 | 34.117.59.81 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 5, 2024 16:38:03.225924015 CEST | 53050 | 53 | 192.168.2.4 | 1.1.1.1 |
Oct 5, 2024 16:38:03.269551992 CEST | 53 | 53050 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 5, 2024 16:38:03.225924015 CEST | 192.168.2.4 | 1.1.1.1 | 0x376e | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 5, 2024 16:38:03.269551992 CEST | 1.1.1.1 | 192.168.2.4 | 0x376e | No error (0) | 34.117.59.81 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49731 | 34.117.59.81 | 80 | 6316 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Oct 5, 2024 16:38:03.356287956 CEST | 61 | OUT | |
Oct 5, 2024 16:38:03.839647055 CEST | 240 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 10:37:59 |
Start date: | 05/10/2024 |
Path: | C:\Users\user\Desktop\build.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x370000 |
File size: | 37'376 bytes |
MD5 hash: | 76A22609F559DB1A73201B95A09053E7 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 10:37:59 |
Start date: | 05/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 2 |
Start time: | 10:37:59 |
Start date: | 05/10/2024 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff72b770000 |
File size: | 5'141'208 bytes |
MD5 hash: | 662F4F92FDE3557E86D110526BB578D5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 10:38:00 |
Start date: | 05/10/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x5a0000 |
File size: | 46'832 bytes |
MD5 hash: | 70D838A7DC5B359C3F938A71FAD77DB0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Target ID: | 4 |
Start time: | 10:38:00 |
Start date: | 05/10/2024 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff72b770000 |
File size: | 5'141'208 bytes |
MD5 hash: | 662F4F92FDE3557E86D110526BB578D5 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 10:38:02 |
Start date: | 05/10/2024 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff72b770000 |
File size: | 5'141'208 bytes |
MD5 hash: | 662F4F92FDE3557E86D110526BB578D5 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 24.9% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 23.3% |
Total number of Nodes: | 73 |
Total number of Limit Nodes: | 6 |
Graph
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D3409 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D64E8 Relevance: 1.7, APIs: 1, Instructions: 248COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D2AE0 Relevance: .3, Instructions: 260COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D07A9 Relevance: .2, Instructions: 150COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D07E8 Relevance: .1, Instructions: 133COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D0848 Relevance: .1, Instructions: 91COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D68A2 Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D264E Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 339processCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D2658 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 337processCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D22D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116injectionCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D22C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115injectionCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D21B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D21A9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D2081 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97threadCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D2088 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94threadCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D1228 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77threadCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D1230 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73threadCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D6194 Relevance: 2.1, APIs: 1, Instructions: 591COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D62F0 Relevance: 1.9, APIs: 1, Instructions: 353COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 009D62C0 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C62A3 Relevance: 4.1, Strings: 3, Instructions: 354COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CB5D8 Relevance: 5.2, Strings: 4, Instructions: 242COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CB645 Relevance: 4.0, Strings: 3, Instructions: 223COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C57D0 Relevance: 2.8, Strings: 2, Instructions: 273COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C57BF Relevance: 2.8, Strings: 2, Instructions: 253COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C6010 Relevance: 2.6, Strings: 2, Instructions: 140COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CC2D8 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C6000 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C132D Relevance: 1.4, Strings: 1, Instructions: 101COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C0D37 Relevance: .2, Instructions: 194COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C6CC8 Relevance: .2, Instructions: 157COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C0DB0 Relevance: .1, Instructions: 139COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C52E1 Relevance: .1, Instructions: 125COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CA528 Relevance: .1, Instructions: 122COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C9638 Relevance: .1, Instructions: 118COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CADD0 Relevance: .1, Instructions: 106COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C96C8 Relevance: .1, Instructions: 106COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C559C Relevance: .1, Instructions: 100COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C55A8 Relevance: .1, Instructions: 96COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C96A8 Relevance: .1, Instructions: 90COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C1418 Relevance: .1, Instructions: 88COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C5490 Relevance: .1, Instructions: 88COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CA348 Relevance: .1, Instructions: 86COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C161C Relevance: .1, Instructions: 80COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C14F4 Relevance: .1, Instructions: 80COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C13C5 Relevance: .1, Instructions: 77COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C1628 Relevance: .1, Instructions: 73COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8D01C Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8D1CC Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C1500 Relevance: .1, Instructions: 71COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C13D5 Relevance: .1, Instructions: 68COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8D005 Relevance: .1, Instructions: 62COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C13E5 Relevance: .1, Instructions: 62COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CADE0 Relevance: .1, Instructions: 59COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CB078 Relevance: .1, Instructions: 59COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00D8D1C7 Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CA6B0 Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CA2AF Relevance: .0, Instructions: 45COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CA2B8 Relevance: .0, Instructions: 41COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C7148 Relevance: .0, Instructions: 40COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CA398 Relevance: .0, Instructions: 38COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CACA0 Relevance: .0, Instructions: 33COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C5438 Relevance: .0, Instructions: 30COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C713B Relevance: .0, Instructions: 29COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CA358 Relevance: .0, Instructions: 26COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026CACB0 Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 026C5448 Relevance: .0, Instructions: 19COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|