Edit tour
Windows
Analysis Report
regscs.exe
Overview
General Information
| Sample name: | regscs.exe |
| Analysis ID: | 1535915 |
| MD5: | fe4001f3584462a292bff67b021a7337 |
| SHA1: | 5543207ebed4d7b50a350ece848c103dc7805f03 |
| SHA256: | 9fbe0f24d1f2b9145043e85fe3b7dcfe3f5c76a2d4910487992d90ada0c7c520 |
| Tags: | exeuser-scx |
| Infos: |   |
 | |
Detection
WebMonitor RAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected WebMonitor RAT
AI detected suspicious sample
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
regscs.exe (PID: 7068 cmdline: "C:\Users\ user\Deskt op\regscs. exe" MD5: FE4001F3584462A292BFF67B021A7337) - regscs.exe (PID: 6404 cmdline:
"C:\Users\ user\Deskt op\regscs. exe" MD5: FE4001F3584462A292BFF67B021A7337)
wscript.exe (PID: 1188 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \svcreg.ex e.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - regscs.exe (PID: 2056 cmdline:
"C:\Users\ user\Deskt op\regscs. exe" MD5: FE4001F3584462A292BFF67B021A7337) - regscs.exe (PID: 1696 cmdline:
"C:\Users\ user\Deskt op\regscs. exe" MD5: FE4001F3584462A292BFF67B021A7337)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_WebMonitor | Yara detected WebMonitor RAT | Joe Security | ||
| Windows_Trojan_Revcoderat_8e6d4182 | unknown | unknown |
| |
| MALWARE_Win_RevCodeRAT | Detects RevCode/WebMonitor RAT | ditekSHen |
| |
| JoeSecurity_WebMonitor | Yara detected WebMonitor RAT | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_WebMonitor | Yara detected WebMonitor RAT | Joe Security | ||
| Windows_Trojan_Revcoderat_8e6d4182 | unknown | unknown |
| |
| MALWARE_Win_RevCodeRAT | Detects RevCode/WebMonitor RAT | ditekSHen |
| |
| JoeSecurity_WebMonitor | Yara detected WebMonitor RAT | Joe Security | ||
| Windows_Trojan_Revcoderat_8e6d4182 | unknown | unknown |
| |
| Click to see the 4 entries | ||||
System Summary |   |
|---|
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Michael Haag: | ||
Data Obfuscation | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-17T12:36:18.061159+0200 | 2022930 | 1 | A Network Trojan was detected | 52.149.20.212 | 443 | 192.168.2.4 | 49730 | TCP |
| 2024-10-17T12:36:57.442571+0200 | 2022930 | 1 | A Network Trojan was detected | 52.149.20.212 | 443 | 192.168.2.4 | 49738 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-17T12:37:06.336578+0200 | 2032361 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49519 | 1.1.1.1 | 53 | UDP |
| 2024-10-17T12:37:48.818793+0200 | 2032361 | 1 | Domain Observed Used for C2 Detected | 192.168.2.4 | 49826 | 1.1.1.1 | 53 | UDP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | IP Address: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File source: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | COM Object queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_004BB83D | |
| Source: | Code function: | 0_2_004BA4A9 | |
| Source: | Code function: | 0_2_004B84BF | |
| Source: | Code function: | 0_2_004B9925 | |
| Source: | Code function: | 0_2_004B9670 | |
| Source: | Code function: | 0_2_004B8A17 | |
| Source: | Code function: | 0_2_004B884E | |
| Source: | Code function: | 0_2_004BDA78 | |
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Process created: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Code function: | 0_2_004BDEFC | |
| Source: | Code function: | 0_2_004BDEFC | |
| Source: | Code function: | 0_2_004BDEFC | |
| Source: | Code function: | 0_2_004BDF6A | |
| Source: | Code function: | 0_2_004BDF30 | |
Boot Survival | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Binary or memory string: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory protected: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 111 Scripting | Valid Accounts | 11 Windows Management Instrumentation | 111 Scripting | 111 Process Injection | 1 Masquerading | OS Credential Dumping | 311 Security Software Discovery | Remote Services | Data from Local System | 1 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 2 Registry Run Keys / Startup Folder | 2 Registry Run Keys / Startup Folder | 13 Virtualization/Sandbox Evasion | LSASS Memory | 13 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 111 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 112 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 79% | ReversingLabs | Win32.Infostealer.Pony | ||
| 100% | Avira | HEUR/AGEN.1331242 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| ntp.se | 194.58.200.20 | true | false | unknown | |
| sdns.se | 185.141.152.26 | true | false | unknown | |
| ee01439035b99fed4b57e5bd255d5faa.se | unknown | unknown | true | unknown | |
| oryadshow.wm01.to | unknown | unknown | true | unknown | |
| 2aa4ccb27ab65b064eae52e993d5dbff.se | unknown | unknown | true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 194.58.200.20 | ntp.se | Sweden | 57021 | NTP-SEAnycastedNTPservicesfromNetnodIXPsSE | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1535915 |
| Start date and time: | 2024-10-17 12:35:06 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 41s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | regscs.exe |
| Detection: | MAL |
| Classification: | mal100.troj.expl.evad.winEXE@8/1@55/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target regscs.exe, PID 1696 because there are no executed function
- Execution Graph export aborted for target regscs.exe, PID 6404 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- VT rate limit hit for: regscs.exe
| Time | Type | Description |
|---|---|---|
| 06:36:19 | API Interceptor | |
| 11:36:13 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 194.58.200.20 | Get hash | malicious | WebMonitor RAT | Browse | ||
| Get hash | malicious | WebMonitor RAT | Browse | |||
| Get hash | malicious | WebMonitor RAT | Browse | |||
| Get hash | malicious | WebMonitor RAT | Browse | |||
| Get hash | malicious | WebMonitor RAT | Browse | |||
| Get hash | malicious | WebMonitor RAT | Browse | |||
| Get hash | malicious | WebMonitor RAT | Browse | |||
| Get hash | malicious | WebMonitor RAT | Browse | |||
| Get hash | malicious | WebMonitor RAT | Browse | |||
| Get hash | malicious | WebMonitor RAT | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ntp.se | Get hash | malicious | WebMonitor RAT | Browse |
| |
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| sdns.se | Get hash | malicious | Remcos, WebMonitor RAT | Browse |
| |
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| NTP-SEAnycastedNTPservicesfromNetnodIXPsSE | Get hash | malicious | WebMonitor RAT | Browse |
| |
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
| ||
| Get hash | malicious | WebMonitor RAT | Browse |
|
⊘No context
⊘No context
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcreg.exe.vbs 
Download File
| Process: | C:\Users\user\Desktop\regscs.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 97 |
| Entropy (8bit): | 5.021988615115362 |
| Encrypted: | false |
| SSDEEP: | 3:RUR8FgAExv22WtgpCdnydoNt+WfWXsHH2:RL3YviSs8doNwv82 |
| MD5: | BC91062FC686E3A1D3627889ADB6915F |
| SHA1: | 3AABCFF3250E2BEF0063B6F9D35FB9E8FEB36C96 |
| SHA-256: | A2F37E5484E38EE589569C917DC28197E2C0CA46D6B3A616FEEB62CC78685F47 |
| SHA-512: | 0545011EF11DCA71BC058527C8EF40E706EF015B190F956B9CC2E80AE53650212B4C941498C85E91088A9BCF9FFB41505F484796409F389AB76CC47D8FE253BE |
| Malicious: | true |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.215312083908525 |
| TrID: |
|
| File name: | regscs.exe |
| File size: | 1'294'848 bytes |
| MD5: | fe4001f3584462a292bff67b021a7337 |
| SHA1: | 5543207ebed4d7b50a350ece848c103dc7805f03 |
| SHA256: | 9fbe0f24d1f2b9145043e85fe3b7dcfe3f5c76a2d4910487992d90ada0c7c520 |
| SHA512: | a0cbabb0abba6fc8f3c1d1195cf0f6ccefb939713a338880dbcd86bebc4b346bcae0cc723952be57e672288e02c48c427ec677b70b1f8d324ce5d93e425f10ee |
| SSDEEP: | 24576:o65HsW9xMob+T2vJN3kKnVbKep4X7gTY6bW8JNQcgNUJLB:95sSxzZVVKWQc/v |
| TLSH: | D755AF22F6F14437C5731A3C8C2BA769982ABE107E28684A7BE41D4C5F39E417D352E7 |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 93296531faccf517 |
| Entrypoint: | 0x4be23c |
| Entrypoint Section: | CODE |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| DLL Characteristics: | |
| Time Stamp: | 0x29C6B649 [Wed Mar 18 03:17:29 1992 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | e0e0f68fc5483a21553d028d1fe27596 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| mov eax, 004BDF74h |
| call 00007F3478FF8049h |
| mov eax, dword ptr [004C0B68h] |
| mov eax, dword ptr [eax] |
| call 00007F347905B369h |
| mov ecx, dword ptr [004C0CFCh] |
| mov eax, dword ptr [004C0B68h] |
| mov eax, dword ptr [eax] |
| mov edx, dword ptr [004B7E84h] |
| call 00007F347905B369h |
| mov eax, dword ptr [004C0B68h] |
| mov eax, dword ptr [eax] |
| call 00007F347905B3DDh |
| call 00007F3478FF5B04h |
| lea eax, dword ptr [eax+00h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc2000 | 0x261a | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xd5000 | 0x6cf88 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xc7000 | 0xd1c8 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xc6000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| CODE | 0x1000 | 0xbd284 | 0xbd400 | fbe4fd8b3404bc7961b5388b030b7e19 | False | 0.5090728719451784 | data | 6.588736337174684 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| DATA | 0xbf000 | 0x1dc8 | 0x1e00 | a705053cfd50f3a693489a4efadd01fb | False | 0.47369791666666666 | data | 4.49803816205231 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| BSS | 0xc1000 | 0xcd1 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0xc2000 | 0x261a | 0x2800 | 48d32ba38610c4bc588530be6cb78860 | False | 0.3490234375 | data | 4.880248846785967 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0xc5000 | 0x10 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0xc6000 | 0x18 | 0x200 | 27f1af8b3b369969975946ea1d3ec7f2 | False | 0.05078125 | data | 0.2069200177871819 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .reloc | 0xc7000 | 0xd1c8 | 0xd200 | e7138711b9ed2db87426042358a95b3e | False | 0.5318452380952381 | data | 6.63396083890795 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| .rsrc | 0xd5000 | 0x6cf88 | 0x6d000 | fb321da6f4e2ff1dd1c731c10f5a6a64 | False | 0.8770897541571101 | DIY-Thermocam raw data (Lepton 2.x), scale 10240-0, spot sensor temperature 0.000000, unit celsius, color scheme 18, minimum point enabled, calibration: offset 0.000000, slope 2417851639229258349412352.000000 | 7.648035112047126 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_CURSOR | 0xd63f0 | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | 0.38636363636363635 | ||
| RT_CURSOR | 0xd6524 | 0x134 | data | 0.4642857142857143 | ||
| RT_CURSOR | 0xd6658 | 0x134 | data | 0.4805194805194805 | ||
| RT_CURSOR | 0xd678c | 0x134 | data | 0.38311688311688313 | ||
| RT_CURSOR | 0xd68c0 | 0x134 | data | 0.36038961038961037 | ||
| RT_CURSOR | 0xd69f4 | 0x134 | data | 0.4090909090909091 | ||
| RT_CURSOR | 0xd6b28 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | 0.4967532467532468 | ||
| RT_BITMAP | 0xd6c5c | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.43103448275862066 | ||
| RT_BITMAP | 0xd6e2c | 0x1e4 | Device independent bitmap graphic, 36 x 19 x 4, image size 380 | 0.46487603305785125 | ||
| RT_BITMAP | 0xd7010 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.43103448275862066 | ||
| RT_BITMAP | 0xd71e0 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.39870689655172414 | ||
| RT_BITMAP | 0xd73b0 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.4245689655172414 | ||
| RT_BITMAP | 0xd7580 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.5021551724137931 | ||
| RT_BITMAP | 0xd7750 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.5064655172413793 | ||
| RT_BITMAP | 0xd7920 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.39655172413793105 | ||
| RT_BITMAP | 0xd7af0 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.5344827586206896 | ||
| RT_BITMAP | 0xd7cc0 | 0x1d0 | Device independent bitmap graphic, 36 x 18 x 4, image size 360 | 0.39655172413793105 | ||
| RT_BITMAP | 0xd7e90 | 0xe8 | Device independent bitmap graphic, 16 x 16 x 4, image size 128 | 0.4870689655172414 | ||
| RT_ICON | 0xd7f78 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.6436170212765957 |
| RT_MENU | 0xd83e0 | 0x2c47 | data | English | United States | 0.8880458756065285 |
| RT_MENU | 0xdb028 | 0x2c47 | data | English | United States | 0.9384208204675782 |
| RT_MENU | 0xddc70 | 0x2c47 | data | English | United States | 0.9393030436700486 |
| RT_MENU | 0xe08b8 | 0x2c47 | data | English | United States | 0.937097485663873 |
| RT_MENU | 0xe3500 | 0x2c47 | data | English | United States | 0.941067490074989 |
| RT_MENU | 0xe6148 | 0x2c47 | data | English | United States | 0.9390383767093075 |
| RT_MENU | 0xe8d90 | 0x2c47 | data | English | United States | 0.9405381561535069 |
| RT_MENU | 0xeb9d8 | 0x2c47 | data | English | United States | 0.941067490074989 |
| RT_MENU | 0xee620 | 0x2c47 | data | English | United States | 0.9417732686369652 |
| RT_MENU | 0xf1268 | 0x2c47 | data | English | United States | 0.9415968239964712 |
| RT_MENU | 0xf3eb0 | 0x2c47 | data | English | United States | 0.9415968239964712 |
| RT_MENU | 0xf6af8 | 0x2c47 | data | English | United States | 0.9414203793559771 |
| RT_MENU | 0xf9740 | 0x2c47 | data | English | United States | 0.9412439347154831 |
| RT_MENU | 0xfc388 | 0x2c47 | data | English | United States | 0.9422143802382003 |
| RT_MENU | 0xfefd0 | 0x2c47 | data | English | United States | 0.9417732686369652 |
| RT_MENU | 0x101c18 | 0x2c47 | data | English | United States | 0.9392148213498015 |
| RT_MENU | 0x104860 | 0x2c47 | data | English | United States | 0.8683722981914425 |
| RT_MENU | 0x1074a8 | 0x2c47 | data | English | United States | 0.9126599029554477 |
| RT_MENU | 0x10a0f0 | 0x2c47 | data | English | United States | 0.941067490074989 |
| RT_MENU | 0x10cd38 | 0x2c47 | data | English | United States | 0.9402734891927658 |
| RT_MENU | 0x10f980 | 0x2c47 | data | English | United States | 0.9423026025584473 |
| RT_MENU | 0x1125c8 | 0x2c47 | zlib compressed data | English | United States | 0.9420379355977062 |
| RT_MENU | 0x115210 | 0x2c47 | data | English | United States | 0.9414203793559771 |
| RT_MENU | 0x117e58 | 0x2c47 | data | English | United States | 0.9416850463167181 |
| RT_MENU | 0x11aaa0 | 0x2c47 | data | English | United States | 0.9416850463167181 |
| RT_MENU | 0x11d6e8 | 0x2c47 | data | English | United States | 0.9419497132774592 |
| RT_MENU | 0x120330 | 0x2c47 | data | English | United States | 0.9419497132774592 |
| RT_MENU | 0x122f78 | 0x2c47 | data | English | United States | 0.9419497132774592 |
| RT_MENU | 0x125bc0 | 0x2c47 | data | English | United States | 0.9414203793559771 |
| RT_MENU | 0x128808 | 0x2c47 | data | English | United States | 0.941155712395236 |
| RT_MENU | 0x12b450 | 0x2c47 | data | English | United States | 0.9415086016762241 |
| RT_MENU | 0x12e098 | 0x2c47 | data | English | United States | 0.9414203793559771 |
| RT_MENU | 0x130ce0 | 0x2c47 | data | English | United States | 0.8887516541685047 |
| RT_MENU | 0x133928 | 0x2c47 | data | English | United States | 0.9369210410233789 |
| RT_MENU | 0x136570 | 0x2c47 | data | English | United States | 0.8592853992059991 |
| RT_MENU | 0x1391b8 | 0x2c47 | data | English | United States | 0.8872518747243052 |
| RT_DIALOG | 0x13be00 | 0x52 | data | 0.7682926829268293 | ||
| RT_STRING | 0x13be54 | 0x1e8 | data | 0.42827868852459017 | ||
| RT_STRING | 0x13c03c | 0x584 | data | 0.35127478753541075 | ||
| RT_STRING | 0x13c5c0 | 0x57c | data | 0.3482905982905983 | ||
| RT_STRING | 0x13cb3c | 0x40c | data | 0.4092664092664093 | ||
| RT_STRING | 0x13cf48 | 0x488 | data | 0.3905172413793103 | ||
| RT_STRING | 0x13d3d0 | 0x464 | data | 0.3371886120996441 | ||
| RT_STRING | 0x13d834 | 0x4d4 | data | 0.3333333333333333 | ||
| RT_STRING | 0x13dd08 | 0x5a4 | data | 0.25069252077562326 | ||
| RT_STRING | 0x13e2ac | 0x3f4 | data | 0.3893280632411067 | ||
| RT_STRING | 0x13e6a0 | 0x1d8 | data | 0.3983050847457627 | ||
| RT_STRING | 0x13e878 | 0x198 | data | 0.4877450980392157 | ||
| RT_STRING | 0x13ea10 | 0x174 | data | 0.5161290322580645 | ||
| RT_STRING | 0x13eb84 | 0x2ac | data | 0.47953216374269003 | ||
| RT_STRING | 0x13ee30 | 0xe0 | data | 0.5892857142857143 | ||
| RT_STRING | 0x13ef10 | 0x12c | data | 0.5533333333333333 | ||
| RT_STRING | 0x13f03c | 0x290 | data | 0.4649390243902439 | ||
| RT_STRING | 0x13f2cc | 0x41c | data | 0.37927756653992395 | ||
| RT_STRING | 0x13f6e8 | 0x394 | data | 0.3777292576419214 | ||
| RT_STRING | 0x13fa7c | 0x40c | data | 0.3416988416988417 | ||
| RT_STRING | 0x13fe88 | 0x1b0 | data | 0.4675925925925926 | ||
| RT_STRING | 0x140038 | 0xec | data | 0.5508474576271186 | ||
| RT_STRING | 0x140124 | 0x20c | data | 0.5 | ||
| RT_STRING | 0x140330 | 0x454 | data | 0.3231046931407942 | ||
| RT_STRING | 0x140784 | 0x3d0 | data | 0.36168032786885246 | ||
| RT_STRING | 0x140b54 | 0x2fc | data | 0.36649214659685864 | ||
| RT_STRING | 0x140e50 | 0x354 | data | 0.318075117370892 | ||
| RT_RCDATA | 0x1411a4 | 0x10 | data | 1.5 | ||
| RT_RCDATA | 0x1411b4 | 0x388 | data | 0.6957964601769911 | ||
| RT_RCDATA | 0x14153c | 0x527 | Delphi compiled form 'TForm1' | 0.5238817285822593 | ||
| RT_GROUP_CURSOR | 0x141a64 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.25 | ||
| RT_GROUP_CURSOR | 0x141a78 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.25 | ||
| RT_GROUP_CURSOR | 0x141a8c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_CURSOR | 0x141aa0 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_CURSOR | 0x141ab4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_CURSOR | 0x141ac8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_CURSOR | 0x141adc | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | 1.3 | ||
| RT_GROUP_ICON | 0x141af0 | 0x14 | data | English | United States | 1.1 |
| RT_DLGINCLUDE | 0x141b04 | 0x239 | data | English | United States | 0.3321616871704745 |
| RT_MANIFEST | 0x141d40 | 0x245 | XML 1.0 document, ASCII text, with CRLF line terminators | 0.5249569707401033 |
| DLL | Import |
|---|---|
| kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle |
| user32.dll | GetKeyboardType, LoadStringA, MessageBoxA, CharNextA |
| advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey |
| oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
| kernel32.dll | TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA |
| advapi32.dll | RegQueryValueExA, RegQueryValueA, RegOpenKeyExA, RegOpenKeyA, RegEnumKeyA, RegCloseKey |
| kernel32.dll | lstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualFree, VirtualAlloc, SleepEx, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle |
| version.dll | VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA |
| gdi32.dll | UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPolyFillMode, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePen, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt |
| user32.dll | CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout |
| ole32.dll | CoTaskMemFree, StringFromCLSID |
| kernel32.dll | Sleep |
| oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit |
| ole32.dll | CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, ProgIDFromCLSID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID |
| oleaut32.dll | CreateErrorInfo, GetErrorInfo, SetErrorInfo, GetActiveObject, SafeArrayCopy, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayDestroy, SafeArrayCreate, SysFreeString |
| comctl32.dll | ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-17T12:36:18.061159+0200 | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 1 | 52.149.20.212 | 443 | 192.168.2.4 | 49730 | TCP |
| 2024-10-17T12:36:57.442571+0200 | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 1 | 52.149.20.212 | 443 | 192.168.2.4 | 49738 | TCP |
| 2024-10-17T12:37:06.336578+0200 | 2032361 | ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup | 1 | 192.168.2.4 | 49519 | 1.1.1.1 | 53 | UDP |
| 2024-10-17T12:37:48.818793+0200 | 2032361 | ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup | 1 | 192.168.2.4 | 49826 | 1.1.1.1 | 53 | UDP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 17, 2024 12:36:20.587080002 CEST | 52591 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 17, 2024 12:36:20.713251114 CEST | 53 | 52591 | 1.1.1.1 | 192.168.2.4 |
| Oct 17, 2024 12:36:20.725343943 CEST | 60772 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 17, 2024 12:36:20.763101101 CEST | 53 | 60772 | 1.1.1.1 | 192.168.2.4 |
| Oct 17, 2024 12:36:20.763926029 CEST | 60773 | 123 | 192.168.2.4 | 194.58.200.20 |
| Oct 17, 2024 12:36:21.506346941 CEST | 123 | 60773 | 194.58.200.20 | 192.168.2.4 |
| Oct 17, 2024 12:36:21.509265900 CEST | 54423 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:22.533879995 CEST | 54423 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:23.547190905 CEST | 54423 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:25.551852942 CEST | 54423 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:29.551846027 CEST | 54423 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:33.600018978 CEST | 61390 | 123 | 192.168.2.4 | 194.58.200.20 |
| Oct 17, 2024 12:36:34.337924004 CEST | 123 | 61390 | 194.58.200.20 | 192.168.2.4 |
| Oct 17, 2024 12:36:34.339534998 CEST | 60547 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:35.351449966 CEST | 60547 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:36.348685980 CEST | 60547 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:38.348716974 CEST | 60547 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:42.211116076 CEST | 60548 | 123 | 192.168.2.4 | 194.58.200.20 |
| Oct 17, 2024 12:36:42.364634991 CEST | 60547 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:42.947078943 CEST | 123 | 60548 | 194.58.200.20 | 192.168.2.4 |
| Oct 17, 2024 12:36:42.949495077 CEST | 52370 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:43.958719969 CEST | 52370 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:45.026626110 CEST | 52370 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:46.381371975 CEST | 52807 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:47.020767927 CEST | 52370 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:47.402045012 CEST | 52807 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:48.411377907 CEST | 52807 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:50.411134958 CEST | 52807 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:51.036380053 CEST | 52370 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:54.411277056 CEST | 52807 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:36:59.449229956 CEST | 54641 | 123 | 192.168.2.4 | 194.58.200.20 |
| Oct 17, 2024 12:37:00.191337109 CEST | 123 | 54641 | 194.58.200.20 | 192.168.2.4 |
| Oct 17, 2024 12:37:00.192275047 CEST | 58464 | 53 | 192.168.2.4 | 1.2.4.8 |
| Oct 17, 2024 12:37:00.588907003 CEST | 53 | 58464 | 1.2.4.8 | 192.168.2.4 |
| Oct 17, 2024 12:37:00.590186119 CEST | 63828 | 53 | 192.168.2.4 | 1.2.4.8 |
| Oct 17, 2024 12:37:01.598738909 CEST | 63828 | 53 | 192.168.2.4 | 1.2.4.8 |
| Oct 17, 2024 12:37:01.808985949 CEST | 53 | 63828 | 1.2.4.8 | 192.168.2.4 |
| Oct 17, 2024 12:37:02.824888945 CEST | 63829 | 123 | 192.168.2.4 | 194.58.200.20 |
| Oct 17, 2024 12:37:03.538239002 CEST | 123 | 63829 | 194.58.200.20 | 192.168.2.4 |
| Oct 17, 2024 12:37:03.541316986 CEST | 65264 | 53 | 192.168.2.4 | 114.114.114.114 |
| Oct 17, 2024 12:37:04.064342976 CEST | 53 | 65264 | 114.114.114.114 | 192.168.2.4 |
| Oct 17, 2024 12:37:04.065403938 CEST | 59244 | 53 | 192.168.2.4 | 114.114.114.114 |
| Oct 17, 2024 12:37:04.308197975 CEST | 53 | 59244 | 114.114.114.114 | 192.168.2.4 |
| Oct 17, 2024 12:37:06.336577892 CEST | 49519 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 17, 2024 12:37:06.431488991 CEST | 53 | 49519 | 1.1.1.1 | 192.168.2.4 |
| Oct 17, 2024 12:37:06.438659906 CEST | 49520 | 123 | 192.168.2.4 | 194.58.200.20 |
| Oct 17, 2024 12:37:07.153660059 CEST | 123 | 49520 | 194.58.200.20 | 192.168.2.4 |
| Oct 17, 2024 12:37:07.154660940 CEST | 57220 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:08.145558119 CEST | 57220 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:09.161195040 CEST | 57220 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:11.162712097 CEST | 57220 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:15.176798105 CEST | 57220 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:19.177800894 CEST | 64019 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:20.192552090 CEST | 64019 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:21.208143950 CEST | 64019 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:23.223731995 CEST | 64019 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:27.239564896 CEST | 64019 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:32.266598940 CEST | 64020 | 123 | 192.168.2.4 | 194.58.200.20 |
| Oct 17, 2024 12:37:32.992904902 CEST | 123 | 64020 | 194.58.200.20 | 192.168.2.4 |
| Oct 17, 2024 12:37:32.994116068 CEST | 64694 | 53 | 192.168.2.4 | 1.2.4.8 |
| Oct 17, 2024 12:37:33.989332914 CEST | 64694 | 53 | 192.168.2.4 | 1.2.4.8 |
| Oct 17, 2024 12:37:35.330679893 CEST | 64694 | 53 | 192.168.2.4 | 1.2.4.8 |
| Oct 17, 2024 12:37:37.344841003 CEST | 64694 | 53 | 192.168.2.4 | 1.2.4.8 |
| Oct 17, 2024 12:37:41.348963976 CEST | 64694 | 53 | 192.168.2.4 | 1.2.4.8 |
| Oct 17, 2024 12:37:44.213418961 CEST | 53 | 64694 | 1.2.4.8 | 192.168.2.4 |
| Oct 17, 2024 12:37:44.213443041 CEST | 53 | 64694 | 1.2.4.8 | 192.168.2.4 |
| Oct 17, 2024 12:37:44.214549065 CEST | 62289 | 53 | 192.168.2.4 | 1.2.4.8 |
| Oct 17, 2024 12:37:44.416883945 CEST | 53 | 62289 | 1.2.4.8 | 192.168.2.4 |
| Oct 17, 2024 12:37:45.438944101 CEST | 62290 | 123 | 192.168.2.4 | 194.58.200.20 |
| Oct 17, 2024 12:37:46.161945105 CEST | 123 | 62290 | 194.58.200.20 | 192.168.2.4 |
| Oct 17, 2024 12:37:46.163115025 CEST | 54338 | 53 | 192.168.2.4 | 114.114.114.114 |
| Oct 17, 2024 12:37:46.481390953 CEST | 53 | 54338 | 114.114.114.114 | 192.168.2.4 |
| Oct 17, 2024 12:37:46.482877016 CEST | 57120 | 53 | 192.168.2.4 | 114.114.114.114 |
| Oct 17, 2024 12:37:46.791703939 CEST | 53 | 57120 | 114.114.114.114 | 192.168.2.4 |
| Oct 17, 2024 12:37:48.609683990 CEST | 53 | 64694 | 1.2.4.8 | 192.168.2.4 |
| Oct 17, 2024 12:37:48.609761000 CEST | 53 | 64694 | 1.2.4.8 | 192.168.2.4 |
| Oct 17, 2024 12:37:48.818793058 CEST | 49826 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 17, 2024 12:37:48.836244106 CEST | 53 | 49826 | 1.1.1.1 | 192.168.2.4 |
| Oct 17, 2024 12:37:48.845738888 CEST | 49827 | 123 | 192.168.2.4 | 194.58.200.20 |
| Oct 17, 2024 12:37:49.562891006 CEST | 123 | 49827 | 194.58.200.20 | 192.168.2.4 |
| Oct 17, 2024 12:37:49.564217091 CEST | 55140 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:50.567548037 CEST | 55140 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:51.567507982 CEST | 55140 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:53.586507082 CEST | 55140 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:37:57.583372116 CEST | 55140 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:38:01.599688053 CEST | 63184 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:38:02.616705894 CEST | 63184 | 53 | 192.168.2.4 | 185.141.152.26 |
| Oct 17, 2024 12:38:03.614784956 CEST | 63184 | 53 | 192.168.2.4 | 185.141.152.26 |
| Timestamp | Source IP | Dest IP | Checksum | Code | Type |
|---|---|---|---|---|---|
| Oct 17, 2024 12:37:48.609857082 CEST | 192.168.2.4 | 1.2.4.8 | c54d | (Port unreachable) | Destination Unreachable |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 17, 2024 12:36:20.587080002 CEST | 192.168.2.4 | 1.1.1.1 | 0xe279 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:20.725343943 CEST | 192.168.2.4 | 1.1.1.1 | 0xcf70 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:21.509265900 CEST | 192.168.2.4 | 185.141.152.26 | 0x74e1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:22.533879995 CEST | 192.168.2.4 | 185.141.152.26 | 0x74e1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:23.547190905 CEST | 192.168.2.4 | 185.141.152.26 | 0x74e1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:25.551852942 CEST | 192.168.2.4 | 185.141.152.26 | 0x74e1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:29.551846027 CEST | 192.168.2.4 | 185.141.152.26 | 0x74e1 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:34.339534998 CEST | 192.168.2.4 | 185.141.152.26 | 0x2fd9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:35.351449966 CEST | 192.168.2.4 | 185.141.152.26 | 0x2fd9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:36.348685980 CEST | 192.168.2.4 | 185.141.152.26 | 0x2fd9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:38.348716974 CEST | 192.168.2.4 | 185.141.152.26 | 0x2fd9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:42.364634991 CEST | 192.168.2.4 | 185.141.152.26 | 0x2fd9 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:42.949495077 CEST | 192.168.2.4 | 185.141.152.26 | 0x5181 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:43.958719969 CEST | 192.168.2.4 | 185.141.152.26 | 0x5181 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:45.026626110 CEST | 192.168.2.4 | 185.141.152.26 | 0x5181 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:46.381371975 CEST | 192.168.2.4 | 185.141.152.26 | 0x896b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:47.020767927 CEST | 192.168.2.4 | 185.141.152.26 | 0x5181 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:47.402045012 CEST | 192.168.2.4 | 185.141.152.26 | 0x896b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:48.411377907 CEST | 192.168.2.4 | 185.141.152.26 | 0x896b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:50.411134958 CEST | 192.168.2.4 | 185.141.152.26 | 0x896b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:51.036380053 CEST | 192.168.2.4 | 185.141.152.26 | 0x5181 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:36:54.411277056 CEST | 192.168.2.4 | 185.141.152.26 | 0x896b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:00.192275047 CEST | 192.168.2.4 | 1.2.4.8 | 0xea98 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:00.590186119 CEST | 192.168.2.4 | 1.2.4.8 | 0xf637 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:01.598738909 CEST | 192.168.2.4 | 1.2.4.8 | 0xf637 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:03.541316986 CEST | 192.168.2.4 | 114.114.114.114 | 0xe499 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:04.065403938 CEST | 192.168.2.4 | 114.114.114.114 | 0x83d4 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:06.336577892 CEST | 192.168.2.4 | 1.1.1.1 | 0x710c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:07.154660940 CEST | 192.168.2.4 | 185.141.152.26 | 0x952f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:08.145558119 CEST | 192.168.2.4 | 185.141.152.26 | 0x952f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:09.161195040 CEST | 192.168.2.4 | 185.141.152.26 | 0x952f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:11.162712097 CEST | 192.168.2.4 | 185.141.152.26 | 0x952f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:15.176798105 CEST | 192.168.2.4 | 185.141.152.26 | 0x952f | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:19.177800894 CEST | 192.168.2.4 | 185.141.152.26 | 0x16c2 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:20.192552090 CEST | 192.168.2.4 | 185.141.152.26 | 0x16c2 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:21.208143950 CEST | 192.168.2.4 | 185.141.152.26 | 0x16c2 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:23.223731995 CEST | 192.168.2.4 | 185.141.152.26 | 0x16c2 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:27.239564896 CEST | 192.168.2.4 | 185.141.152.26 | 0x16c2 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:32.994116068 CEST | 192.168.2.4 | 1.2.4.8 | 0xa94c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:33.989332914 CEST | 192.168.2.4 | 1.2.4.8 | 0xa94c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:35.330679893 CEST | 192.168.2.4 | 1.2.4.8 | 0xa94c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:37.344841003 CEST | 192.168.2.4 | 1.2.4.8 | 0xa94c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:41.348963976 CEST | 192.168.2.4 | 1.2.4.8 | 0xa94c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:44.214549065 CEST | 192.168.2.4 | 1.2.4.8 | 0x2b37 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:46.163115025 CEST | 192.168.2.4 | 114.114.114.114 | 0xc577 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:46.482877016 CEST | 192.168.2.4 | 114.114.114.114 | 0x8e45 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:48.818793058 CEST | 192.168.2.4 | 1.1.1.1 | 0x5597 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:49.564217091 CEST | 192.168.2.4 | 185.141.152.26 | 0x36a0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:50.567548037 CEST | 192.168.2.4 | 185.141.152.26 | 0x36a0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:51.567507982 CEST | 192.168.2.4 | 185.141.152.26 | 0x36a0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:53.586507082 CEST | 192.168.2.4 | 185.141.152.26 | 0x36a0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:57.583372116 CEST | 192.168.2.4 | 185.141.152.26 | 0x36a0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:38:01.599688053 CEST | 192.168.2.4 | 185.141.152.26 | 0xad8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:38:02.616705894 CEST | 192.168.2.4 | 185.141.152.26 | 0xad8 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:38:03.614784956 CEST | 192.168.2.4 | 185.141.152.26 | 0xad8 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 17, 2024 12:36:20.713251114 CEST | 1.1.1.1 | 192.168.2.4 | 0xe279 | No error (0) | 185.141.152.26 | A (IP address) | IN (0x0001) | false | ||
| Oct 17, 2024 12:36:20.763101101 CEST | 1.1.1.1 | 192.168.2.4 | 0xcf70 | No error (0) | 194.58.200.20 | A (IP address) | IN (0x0001) | false | ||
| Oct 17, 2024 12:37:00.588907003 CEST | 1.2.4.8 | 192.168.2.4 | 0xea98 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:01.808985949 CEST | 1.2.4.8 | 192.168.2.4 | 0xf637 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:04.064342976 CEST | 114.114.114.114 | 192.168.2.4 | 0xe499 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:04.308197975 CEST | 114.114.114.114 | 192.168.2.4 | 0x83d4 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:06.431488991 CEST | 1.1.1.1 | 192.168.2.4 | 0x710c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:44.213418961 CEST | 1.2.4.8 | 192.168.2.4 | 0xa94c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:44.213443041 CEST | 1.2.4.8 | 192.168.2.4 | 0xa94c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:44.416883945 CEST | 1.2.4.8 | 192.168.2.4 | 0x2b37 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:46.481390953 CEST | 114.114.114.114 | 192.168.2.4 | 0xc577 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:46.791703939 CEST | 114.114.114.114 | 192.168.2.4 | 0x8e45 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:48.609683990 CEST | 1.2.4.8 | 192.168.2.4 | 0xa94c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:48.609761000 CEST | 1.2.4.8 | 192.168.2.4 | 0xa94c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 17, 2024 12:37:48.836244106 CEST | 1.1.1.1 | 192.168.2.4 | 0x5597 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 06:35:58 |
| Start date: | 17/10/2024 |
| Path: | C:\Users\user\Desktop\regscs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'294'848 bytes |
| MD5 hash: | FE4001F3584462A292BFF67B021A7337 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 06:36:12 |
| Start date: | 17/10/2024 |
| Path: | C:\Users\user\Desktop\regscs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'294'848 bytes |
| MD5 hash: | FE4001F3584462A292BFF67B021A7337 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 5 |
| Start time: | 06:36:22 |
| Start date: | 17/10/2024 |
| Path: | C:\Windows\System32\wscript.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6c6af0000 |
| File size: | 170'496 bytes |
| MD5 hash: | A47CBE969EA935BDD3AB568BB126BC80 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 06:36:22 |
| Start date: | 17/10/2024 |
| Path: | C:\Users\user\Desktop\regscs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'294'848 bytes |
| MD5 hash: | FE4001F3584462A292BFF67B021A7337 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | Borland Delphi |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 06:36:34 |
| Start date: | 17/10/2024 |
| Path: | C:\Users\user\Desktop\regscs.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 1'294'848 bytes |
| MD5 hash: | FE4001F3584462A292BFF67B021A7337 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 22.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 13.6% |
| Total number of Nodes: | 162 |
| Total number of Limit Nodes: | 13 |
Graph
Function 004B9925 Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B884E Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B9670 Relevance: 1.5, APIs: 1, Instructions: 8nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BDA78 Relevance: 1.5, APIs: 1, Instructions: 7nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BB83D Relevance: 1.5, APIs: 1, Instructions: 5nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BA4A9 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B8A17 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BDD18 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 151memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BD275 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 30memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B9660 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BDD16 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 79memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BA226 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BA51E Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BDD8A Relevance: 2.5, APIs: 2, Instructions: 42memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B83EA Relevance: 2.5, APIs: 2, Instructions: 33memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B8130 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B9FC7 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B8A59 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BCA98 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BA183 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BB55C Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BA99F Relevance: 1.5, APIs: 1, Instructions: 14COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BAD28 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BBA7A Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BC01D Relevance: 1.5, APIs: 1, Instructions: 12threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BD77A Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B825D Relevance: 1.5, APIs: 1, Instructions: 10processCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BCC43 Relevance: 1.5, APIs: 1, Instructions: 8threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BD5CF Relevance: 1.5, APIs: 1, Instructions: 8fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BC7C7 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B81EC Relevance: 1.3, APIs: 1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BA482 Relevance: 1.3, APIs: 1, Instructions: 27memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B96D4 Relevance: 1.3, APIs: 1, Instructions: 26memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004B855B Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BD2EB Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BA125 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BD2E6 Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BB933 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BBEDD Relevance: 1.3, APIs: 1, Instructions: 11memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BA094 Relevance: 1.3, APIs: 1, Instructions: 11memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BCF56 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BB85D Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BB139 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|