Edit tour
Windows
Analysis Report
eAvqHiIsgR.exe
Overview
General Information
| Sample name: | eAvqHiIsgR.exerenamed because original name is a hash value |
| Original sample name: | e67d5a5be1e0f1033957b79737340afe9889998f6c2db786144b415ddf202ee7.exe |
| Analysis ID: | 1567591 |
| MD5: | 61518cfded3109fac04ee916ab275c26 |
| SHA1: | c624a4ee78183d82fb8264f74953d32ddcae5481 |
| SHA256: | e67d5a5be1e0f1033957b79737340afe9889998f6c2db786144b415ddf202ee7 |
| Tags: | exeGuLoadersigneduser-adrian__luca |
| Infos: |  |
 | |
Detection
GuLoader
| Score: | 76 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
eAvqHiIsgR.exe (PID: 4872 cmdline:
"C:\Users\ user\Deskt op\eAvqHiI sgR.exe" MD5: 61518CFDED3109FAC04EE916AB275C26) "C:\Users\ user\Deskt op\eAvqHiI sgR.exe" MD5: 61518CFDED3109FAC04EE916AB275C26)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-03T17:33:47.033223+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49913 | 172.217.19.174 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 5_2_0040646B | |
| Source: | Code function: | 5_2_004027A1 | |
| Source: | Code function: | 5_2_004058BF | |
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 5_2_0040535C | |
| Source: | Process Stats: | ||
| Source: | Code function: | 5_2_00403348 | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 5_2_00406945 | |
| Source: | Code function: | 5_2_0040711C | |
| Source: | Code function: | 5_2_701A1A98 | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 5_2_00403348 | |
| Source: | Code function: | 5_2_0040460D | |
| Source: | Code function: | 5_2_0040216B | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | LNK file: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 5_2_701A1A98 | |
| Source: | Code function: | 5_2_701A2F8E | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | API/Special instruction interceptor: | ||
| Source: | API/Special instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Code function: | 5_2_0040646B | |
| Source: | Code function: | 5_2_004027A1 | |
| Source: | Code function: | 5_2_004058BF | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_5-4156 | ||
| Source: | API call chain: | graph_5-3981 | ||
| Source: | Code function: | 5_2_701A1A98 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 5_2_00403348 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 11 Masquerading | OS Credential Dumping | 21 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Clipboard Data | 3 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Access Token Manipulation | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Process Injection | NTDS | 23 System Information Discovery | Distributed Component Object Model | Input Capture | 14 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 61% | ReversingLabs | Win32.Trojan.Guloader | ||
| 100% | Avira | TR/Injector.csnhe |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| drive.google.com | 172.217.19.174 | true | false | high | |
| drive.usercontent.google.com | 142.250.181.129 | true | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 142.250.181.129 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false | |
| 172.217.19.174 | drive.google.com | United States | 15169 | GOOGLEUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1567591 |
| Start date and time: | 2024-12-03 17:30:55 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 9s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 17 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | eAvqHiIsgR.exerenamed because original name is a hash value |
| Original Sample Name: | e67d5a5be1e0f1033957b79737340afe9889998f6c2db786144b415ddf202ee7.exe |
| Detection: | MAL |
| Classification: | mal76.troj.evad.winEXE@3/8@2/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtCreateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: eAvqHiIsgR.exe
⊘No simulations
⊘No context
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | GuLoader | Browse |
| |
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\nsa617D.tmp\System.dll | Get hash | malicious | Remcos, GuLoader | Browse | ||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader, Remcos | Browse | |||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | GuLoader | Browse | |||
| Get hash | malicious | FormBook, GuLoader | Browse |
| Process: | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 11776 |
| Entropy (8bit): | 5.854450882766351 |
| Encrypted: | false |
| SSDEEP: | 192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4 |
| MD5: | 34442E1E0C2870341DF55E1B7B3CCCDC |
| SHA1: | 99B2FA21AEAD4B6CCD8FF2F6D3D3453A51D9C70C |
| SHA-256: | 269D232712C86983336BADB40B9E55E80052D8389ED095EBF9214964D43B6BB1 |
| SHA-512: | 4A8C57FB12997438B488B862F3FC9DC0F236E07BB47B2BCE6053DCB03AC7AD171842F02AC749F02DDA4719C681D186330524CD2953D33CB50854844E74B33D51 |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 437032 |
| Entropy (8bit): | 2.6470522931567846 |
| Encrypted: | false |
| SSDEEP: | 3072:bSnLz72K/yG3pRsYhtRpehLG3a+slQ2huKa:oLz72xGZRsiRpe9CZslQ2huT |
| MD5: | 53118B7494C59D46E9BFD8977F248EDA |
| SHA1: | 2F6C3005A562EB0D187BF751D949FECC3FEA7C9E |
| SHA-256: | F7A37EC1F6A7E6CA0ECBD78BCC9BCC4801F233E0B5F9156A025CE5723A3D0BEB |
| SHA-512: | 9188CB5A8A1EE5ACAAFB715C5EAEC50C187D2C7DB357AE90C1F7B51AF95E9409681A7B0D119994011F54181A81C18C09EAE6A07BD2E240B4E31185CC15422DD4 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 207640 |
| Entropy (8bit): | 7.546004720534882 |
| Encrypted: | false |
| SSDEEP: | 3072:ASesIpE62+wizRgXw/kibtZaVNv4rw9KKRiYeKJSulQB0ClQztX9JnJg2yJ6MKN+:AFsIpGgm/9HteKby0oQznM2Aa+ |
| MD5: | 252B537AA9192BBF6F11B925E38F0353 |
| SHA1: | 5FA65E7E8E29B9097AE0510E4D405CDC2AF764BC |
| SHA-256: | 44A675E5F8D832568BF91CD9C6D6D393FE4B55D8FE353492CBE5CA42B8FE0002 |
| SHA-512: | FD5EA259314B678A8506BF6C2E47A1C133882F1CDD9F4BF5C82E56AC5E67AE6ED89FAF6A635AB4EDA451074D87B02E17D14191A44E0AD8F40AA08004549ADFA3 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 485127 |
| Entropy (8bit): | 1.2565961974341746 |
| Encrypted: | false |
| SSDEEP: | 768:bgBMgq+aLnwfPnz/Km1iLGyDPiU55NCk+T93YpnK77oTpvYP3knePjlW0kwNGL+q:XQ3wvosOsCpxFJrXSBmHzTu58UR |
| MD5: | 580D05E679E74B036B55CA8E5FF32769 |
| SHA1: | 10175C43AB7B725FFFCF770EB2C3555E91D3BA13 |
| SHA-256: | B3E34975017C193D4672BEC42BC52B55F8AE1F1D5F30D56DCFD0B3A4242C3BE4 |
| SHA-512: | 0E26F0084BED372785A5E8C8BE3A0717074AA52C2E8B5413FA9F2CB8DEED40BF8BDBF15C411EFFA432A8B96E50AE6085E8F90A97350827AFAA1BE1AB4B3E1643 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 389868 |
| Entropy (8bit): | 1.2469892412772452 |
| Encrypted: | false |
| SSDEEP: | 768:8mGX5iY6YFC1hSNYG8n6aCKBHwcX7e3ZNrt7qNIxKpGEopKfWOO72cDEDQ+7IF5i:m5ittaAwW6q8KH13QyOgs2w |
| MD5: | 2A500E1219C4894E2D45C32C5A5A11FD |
| SHA1: | AC9A88DE4C84E1EB8A535E1061CBC6584380D24E |
| SHA-256: | C65F223375C6DFE8CE71213D5DD24F39CDE31F772D2C66521BF07B21BE45E6C1 |
| SHA-512: | 89ED91AF91CF969FE7EC087EE107B52959582615EFB2AB72A21D6C3820E5BDDA78EE02EB39BB323FD996D85510627387616DF8917B12052A62D288D8E9448596 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 442363 |
| Entropy (8bit): | 1.2533707838755617 |
| Encrypted: | false |
| SSDEEP: | 1536:f6KFImN7hPg1fMcZ9pkK6m1rmkrDAji7VW9EgfrY:PyMtabPE+7ctfM |
| MD5: | 5465B75724C031B21C018F7D72941F72 |
| SHA1: | 98176B27A41A35401A96D0AAC0859EEC25A4C5FE |
| SHA-256: | 7390780C6FB1F7B57C950A11AE287127CB6144CE9AD1C26E8C242BADB685729B |
| SHA-512: | 7084191B13FF854943DEE9FB6DDC1D7F89D06055FF4DA7E04DA1C359B557AC22762209B8DFE061F3AF628DF077E1D1D1009E9F9A18E3C9441AEE7FD4FDFF1688 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 521 |
| Entropy (8bit): | 4.284169749449499 |
| Encrypted: | false |
| SSDEEP: | 12:7+SriF8i+WUQDJBYqRIE47W0BvM71ARi9ulhji4JDQCr6K:7tuZ+d6/GEUI18jhJsCr6K |
| MD5: | B089BD0CBC944DE0B1023E6CE9318BD3 |
| SHA1: | 715FA74E243D5C3419519E7371ED1836C9BCFA4A |
| SHA-256: | 1E8ABB4A5E85595B0EF2FC73E9012EDDFE1BCB7363E90A2EA46F561DD3742F93 |
| SHA-512: | A164EB2AB02E612E9F96531006C4A71B8D6E8EA6444D86907CB15EF2C1AAB4680EAF3BB580C6A1D5B89A3F454F3E532242FC1DE2B71A9FFF56F812F6E4638885 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 754 |
| Entropy (8bit): | 3.3027259102800293 |
| Encrypted: | false |
| SSDEEP: | 12:8wl0dsXMlykXuGlnEElkXOEOqkXu3w/g/jNJkKAp4t2YZ/elFlSJm:8OrWvlX3qw/4hHAzqy |
| MD5: | 4CF5311D4D3C7F8529A7444A1BDE92AC |
| SHA1: | 87C97FA322DAB6719FE9111565D34D4849833FF0 |
| SHA-256: | 32B62B1DB267EB609645F136E4D54B38A04D9246C7AEBC2DD9DB4BA5D3213616 |
| SHA-512: | 4F3921FFC4E0DF7DEB2E8AF4BC2C9B4D1645829BFBB205FB22E159AC0234F68DA7A38C8A23DC772DEADF135425B369F11EECAB0A7E69FB8E62C53F7E5B171E1E |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.540997501747662 |
| TrID: |
|
| File name: | eAvqHiIsgR.exe |
| File size: | 882'600 bytes |
| MD5: | 61518cfded3109fac04ee916ab275c26 |
| SHA1: | c624a4ee78183d82fb8264f74953d32ddcae5481 |
| SHA256: | e67d5a5be1e0f1033957b79737340afe9889998f6c2db786144b415ddf202ee7 |
| SHA512: | 478737a68a76e03b10e477a47115eb643e9c7242e5a5d7ef0c635060cb0318fd185c6be59793ba66057f811d6f623c68daabd5dfddcc8c3d4dc4d9b8be7096af |
| SSDEEP: | 24576:yiGFaq43NvC7kHJTPrbG4ujTrlq8e+xfJ/QOeaq:yiGFu3Nv3HJTkdde+tJ/qaq |
| TLSH: | 11151266F700D89AE8758F31982EC146E7E4BE2918641B5B3F9ABF2FBCB2050D10F515 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L... ..`.................f...|......H3............@ |
 | |
| Icon Hash: | 0e13672535353f1c |
| Entrypoint: | 0x403348 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x60FC9220 [Sat Jul 24 22:20:16 2021 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | ced282d9b261d1462772017fe2f6972b |
| Signature Valid: | false |
| Signature Issuer: | CN="Biose Etherising Snoreassistenterne ", E=Thyroidectomy@Grasserie.Rat, L=Millersburg, S=Kentucky, C=US |
| Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
| Error Number: | -2146762487 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 07F4C9648CE525564FACE18D1081137B |
| Thumbprint SHA-1: | B05FDEA76018F6B4F74CA880D732D7C4CFAE9B3A |
| Thumbprint SHA-256: | 3F87A7BAF788D5593E84370B6F3D6C86548799431B126CFF6183A98F77C743B6 |
| Serial: | 569C0070FED303446D97771BD262BA0ED17A9696 |
| Instruction |
|---|
| sub esp, 00000184h |
| push ebx |
| push esi |
| push edi |
| xor ebx, ebx |
| push 00008001h |
| mov dword ptr [esp+18h], ebx |
| mov dword ptr [esp+10h], 0040A198h |
| mov dword ptr [esp+20h], ebx |
| mov byte ptr [esp+14h], 00000020h |
| call dword ptr [004080B8h] |
| call dword ptr [004080BCh] |
| and eax, BFFFFFFFh |
| cmp ax, 00000006h |
| mov dword ptr [0042F42Ch], eax |
| je 00007F4E9C7AA2E3h |
| push ebx |
| call 00007F4E9C7AD446h |
| cmp eax, ebx |
| je 00007F4E9C7AA2D9h |
| push 00000C00h |
| call eax |
| mov esi, 004082A0h |
| push esi |
| call 00007F4E9C7AD3C2h |
| push esi |
| call dword ptr [004080CCh] |
| lea esi, dword ptr [esi+eax+01h] |
| cmp byte ptr [esi], bl |
| jne 00007F4E9C7AA2BDh |
| push 0000000Bh |
| call 00007F4E9C7AD41Ah |
| push 00000009h |
| call 00007F4E9C7AD413h |
| push 00000007h |
| mov dword ptr [0042F424h], eax |
| call 00007F4E9C7AD407h |
| cmp eax, ebx |
| je 00007F4E9C7AA2E1h |
| push 0000001Eh |
| call eax |
| test eax, eax |
| je 00007F4E9C7AA2D9h |
| or byte ptr [0042F42Fh], 00000040h |
| push ebp |
| call dword ptr [00408038h] |
| push ebx |
| call dword ptr [00408288h] |
| mov dword ptr [0042F4F8h], eax |
| push ebx |
| lea eax, dword ptr [esp+38h] |
| push 00000160h |
| push eax |
| push ebx |
| push 00429850h |
| call dword ptr [0040816Ch] |
| push 0040A188h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8544 | 0xa0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x58000 | 0x41dd0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0xd63f8 | 0x13b0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x29c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6457 | 0x6600 | f6e38befa56abea7a550141c731da779 | False | 0.6682368259803921 | data | 6.434985703212657 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x1380 | 0x1400 | 569269e9338b2e8ce268ead1326e2b0b | False | 0.4625 | data | 5.2610038973135005 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x25538 | 0x600 | 17edd496e40111b5a48947c480fda13c | False | 0.4635416666666667 | data | 4.133728555004788 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .ndata | 0x30000 | 0x28000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x58000 | 0x41dd0 | 0x41e00 | 51f103b856396aac282c5bd5a24beff1 | False | 0.6063619248102466 | data | 5.8960782160116745 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x583b8 | 0x130ca | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.998410786148207 |
| RT_ICON | 0x6b488 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.40775464332189754 |
| RT_ICON | 0x7bcb0 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 38016 | English | United States | 0.4554866512507883 |
| RT_ICON | 0x85158 | 0x67e8 | Device independent bitmap graphic, 80 x 160 x 32, image size 26560 | English | United States | 0.462218045112782 |
| RT_ICON | 0x8b940 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 21600 | English | United States | 0.4729667282809612 |
| RT_ICON | 0x90dc8 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.46835144071799717 |
| RT_ICON | 0x94ff0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5149377593360995 |
| RT_ICON | 0x97598 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.5457317073170732 |
| RT_ICON | 0x98640 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.6073770491803279 |
| RT_ICON | 0x98fc8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.6719858156028369 |
| RT_DIALOG | 0x99430 | 0x100 | data | English | United States | 0.5234375 |
| RT_DIALOG | 0x99530 | 0x11c | data | English | United States | 0.6056338028169014 |
| RT_DIALOG | 0x99650 | 0xc4 | data | English | United States | 0.5918367346938775 |
| RT_DIALOG | 0x99718 | 0x60 | data | English | United States | 0.7291666666666666 |
| RT_GROUP_ICON | 0x99778 | 0x92 | Targa image data - Map 32 x 12490 x 1 +1 | English | United States | 0.7191780821917808 |
| RT_VERSION | 0x99810 | 0x27c | data | English | United States | 0.5 |
| RT_MANIFEST | 0x99a90 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States | 0.5542168674698795 |
| DLL | Import |
|---|---|
| ADVAPI32.dll | RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA |
| SHELL32.dll | SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA |
| ole32.dll | IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree |
| COMCTL32.dll | ImageList_Create, ImageList_Destroy, ImageList_AddMasked |
| USER32.dll | SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard |
| GDI32.dll | SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject |
| KERNEL32.dll | GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-12-03T17:33:47.033223+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.7 | 49913 | 172.217.19.174 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 3, 2024 17:33:44.363722086 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:44.363833904 CET | 443 | 49913 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:33:44.364070892 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:44.399064064 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:44.399080992 CET | 443 | 49913 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:33:46.096452951 CET | 443 | 49913 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:33:46.096551895 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:46.097237110 CET | 443 | 49913 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:33:46.097296953 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:46.287548065 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:46.287574053 CET | 443 | 49913 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:33:46.287947893 CET | 443 | 49913 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:33:46.288011074 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:46.307739019 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:46.351332903 CET | 443 | 49913 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:33:47.033221960 CET | 443 | 49913 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:33:47.033356905 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:47.033377886 CET | 443 | 49913 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:33:47.033426046 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:47.033612013 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:47.034774065 CET | 443 | 49913 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:33:47.034843922 CET | 49913 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:47.184026957 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:47.184062004 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:47.184138060 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:47.184432983 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:47.184448957 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:48.940082073 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:48.940161943 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:49.015134096 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:49.015168905 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:49.015507936 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:49.015568018 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:49.024219036 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:49.067341089 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:49.893646955 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:49.893719912 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:49.893738985 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:49.893794060 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:49.893923998 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:49.893976927 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:49.894464016 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:49.894515991 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:49.894526005 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:49.894567013 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:49.900584936 CET | 49918 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:33:49.900599003 CET | 443 | 49918 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:33:59.928159952 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:59.928215981 CET | 443 | 49948 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:33:59.928276062 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:59.929634094 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:33:59.929645061 CET | 443 | 49948 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:01.717998981 CET | 443 | 49948 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:01.718099117 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:01.718732119 CET | 443 | 49948 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:01.718789101 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:01.720364094 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:01.720375061 CET | 443 | 49948 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:01.720633030 CET | 443 | 49948 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:01.720681906 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:01.721115112 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:01.767338991 CET | 443 | 49948 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:02.635776043 CET | 443 | 49948 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:02.635900021 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:02.635945082 CET | 443 | 49948 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:02.635993958 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:02.636096001 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:02.636140108 CET | 443 | 49948 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:02.636190891 CET | 49948 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:02.645817041 CET | 49954 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:02.645863056 CET | 443 | 49954 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:02.645945072 CET | 49954 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:02.646167040 CET | 49954 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:02.646184921 CET | 443 | 49954 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:04.397547960 CET | 443 | 49954 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:04.397655964 CET | 49954 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:04.398216009 CET | 49954 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:04.398224115 CET | 443 | 49954 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:04.398411036 CET | 49954 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:04.398416996 CET | 443 | 49954 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:05.341926098 CET | 443 | 49954 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:05.342019081 CET | 443 | 49954 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:05.342031002 CET | 49954 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:05.342047930 CET | 443 | 49954 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:05.342062950 CET | 49954 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:05.342092037 CET | 49954 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:05.342097044 CET | 443 | 49954 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:05.342125893 CET | 443 | 49954 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:05.342164993 CET | 49954 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:05.342858076 CET | 49954 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:05.342875957 CET | 443 | 49954 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:15.363076925 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:15.363132000 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:15.363203049 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:15.363512993 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:15.363527060 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:17.109009981 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:17.109206915 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:17.109788895 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:17.109853983 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:17.111843109 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:17.111857891 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:17.112112045 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:17.112164974 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:17.112514973 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:17.155332088 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:18.069561005 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:18.069642067 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:18.069663048 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:18.069704056 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:18.072207928 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:18.072249889 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:18.072256088 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:18.072315931 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:18.084497929 CET | 49976 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:18.084517002 CET | 443 | 49976 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:18.301068068 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:18.301127911 CET | 443 | 49977 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:18.301192999 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:18.301594019 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:18.301606894 CET | 443 | 49977 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:20.088489056 CET | 443 | 49977 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:20.088555098 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:20.089174032 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:20.089180946 CET | 443 | 49977 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:20.089349031 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:20.089353085 CET | 443 | 49977 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:21.042052984 CET | 443 | 49977 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:21.042200089 CET | 443 | 49977 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:21.042269945 CET | 443 | 49977 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:21.042304039 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:21.042304039 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:21.042330027 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:21.042812109 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:21.042829990 CET | 443 | 49977 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:21.042843103 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:21.042877913 CET | 49977 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:31.079636097 CET | 49978 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:31.079706907 CET | 443 | 49978 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:31.079792023 CET | 49978 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:31.080178976 CET | 49978 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:31.080198050 CET | 443 | 49978 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:32.773159981 CET | 443 | 49978 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:32.776065111 CET | 49978 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:32.776505947 CET | 49978 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:32.776519060 CET | 443 | 49978 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:32.776710987 CET | 49978 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:32.776717901 CET | 443 | 49978 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:33.722728014 CET | 443 | 49978 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:33.722847939 CET | 49978 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:33.722867966 CET | 443 | 49978 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:33.722918987 CET | 49978 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:33.723033905 CET | 49978 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:33.723072052 CET | 443 | 49978 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:33.723126888 CET | 49978 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:33.741087914 CET | 49979 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:33.741149902 CET | 443 | 49979 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:33.741239071 CET | 49979 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:33.741483927 CET | 49979 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:33.741507053 CET | 443 | 49979 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:35.606815100 CET | 443 | 49979 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:35.606887102 CET | 49979 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:35.607336044 CET | 49979 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:35.607347012 CET | 443 | 49979 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:35.607539892 CET | 49979 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:35.607543945 CET | 443 | 49979 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:36.578711033 CET | 443 | 49979 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:36.578845024 CET | 49979 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:36.578916073 CET | 443 | 49979 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:36.578967094 CET | 49979 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:36.578980923 CET | 443 | 49979 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:36.578989983 CET | 443 | 49979 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:36.579035044 CET | 49979 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:36.579716921 CET | 49979 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:36.579731941 CET | 443 | 49979 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:46.613140106 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:46.613187075 CET | 443 | 49980 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:46.613320112 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:46.613655090 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:46.613671064 CET | 443 | 49980 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:48.372365952 CET | 443 | 49980 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:48.372526884 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:48.373130083 CET | 443 | 49980 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:48.373214006 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:48.374660015 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:48.374667883 CET | 443 | 49980 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:48.374908924 CET | 443 | 49980 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:48.375006914 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:48.375271082 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:48.419333935 CET | 443 | 49980 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:49.302124023 CET | 443 | 49980 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:49.302203894 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:49.302344084 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:49.302403927 CET | 443 | 49980 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:49.302452087 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:49.302453995 CET | 443 | 49980 | 172.217.19.174 | 192.168.2.7 |
| Dec 3, 2024 17:34:49.302503109 CET | 49980 | 443 | 192.168.2.7 | 172.217.19.174 |
| Dec 3, 2024 17:34:49.319600105 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:49.319631100 CET | 443 | 49981 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:49.319700956 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:49.319933891 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:49.319945097 CET | 443 | 49981 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:51.163810015 CET | 443 | 49981 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:51.163933992 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:51.164475918 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:51.164488077 CET | 443 | 49981 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:51.164664984 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:51.164669037 CET | 443 | 49981 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:52.124407053 CET | 443 | 49981 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:52.124533892 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:52.124541998 CET | 443 | 49981 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:52.124571085 CET | 443 | 49981 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:52.124591112 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:52.124609947 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:52.125036001 CET | 443 | 49981 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:52.125091076 CET | 443 | 49981 | 142.250.181.129 | 192.168.2.7 |
| Dec 3, 2024 17:34:52.125092983 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:52.125142097 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:52.125345945 CET | 49981 | 443 | 192.168.2.7 | 142.250.181.129 |
| Dec 3, 2024 17:34:52.125360966 CET | 443 | 49981 | 142.250.181.129 | 192.168.2.7 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 3, 2024 17:33:44.213413954 CET | 51330 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 3, 2024 17:33:44.351675987 CET | 53 | 51330 | 1.1.1.1 | 192.168.2.7 |
| Dec 3, 2024 17:33:47.044327974 CET | 60014 | 53 | 192.168.2.7 | 1.1.1.1 |
| Dec 3, 2024 17:33:47.183083057 CET | 53 | 60014 | 1.1.1.1 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 3, 2024 17:33:44.213413954 CET | 192.168.2.7 | 1.1.1.1 | 0x77cf | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 3, 2024 17:33:47.044327974 CET | 192.168.2.7 | 1.1.1.1 | 0xc2fe | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 3, 2024 17:33:44.351675987 CET | 1.1.1.1 | 192.168.2.7 | 0x77cf | No error (0) | 172.217.19.174 | A (IP address) | IN (0x0001) | false | ||
| Dec 3, 2024 17:33:47.183083057 CET | 1.1.1.1 | 192.168.2.7 | 0xc2fe | No error (0) | 142.250.181.129 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49913 | 172.217.19.174 | 443 | 7768 | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 16:33:46 UTC | 216 | OUT | |
| 2024-12-03 16:33:47 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49918 | 142.250.181.129 | 443 | 7768 | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 16:33:49 UTC | 258 | OUT | |
| 2024-12-03 16:33:49 UTC | 2228 | IN | |
| 2024-12-03 16:33:49 UTC | 1652 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.7 | 49948 | 172.217.19.174 | 443 | 7768 | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 16:34:01 UTC | 417 | OUT | |
| 2024-12-03 16:34:02 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.7 | 49954 | 142.250.181.129 | 443 | 7768 | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 16:34:04 UTC | 459 | OUT | |
| 2024-12-03 16:34:05 UTC | 1854 | IN | |
| 2024-12-03 16:34:05 UTC | 1652 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.7 | 49976 | 172.217.19.174 | 443 | 7768 | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 16:34:17 UTC | 417 | OUT | |
| 2024-12-03 16:34:18 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.7 | 49977 | 142.250.181.129 | 443 | 7768 | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 16:34:20 UTC | 459 | OUT | |
| 2024-12-03 16:34:21 UTC | 1854 | IN | |
| 2024-12-03 16:34:21 UTC | 1652 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.7 | 49978 | 172.217.19.174 | 443 | 7768 | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 16:34:32 UTC | 417 | OUT | |
| 2024-12-03 16:34:33 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.7 | 49979 | 142.250.181.129 | 443 | 7768 | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 16:34:35 UTC | 459 | OUT | |
| 2024-12-03 16:34:36 UTC | 1854 | IN | |
| 2024-12-03 16:34:36 UTC | 1652 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 8 | 192.168.2.7 | 49980 | 172.217.19.174 | 443 | 7768 | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 16:34:48 UTC | 417 | OUT | |
| 2024-12-03 16:34:49 UTC | 1920 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 9 | 192.168.2.7 | 49981 | 142.250.181.129 | 443 | 7768 | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-12-03 16:34:51 UTC | 459 | OUT | |
| 2024-12-03 16:34:52 UTC | 1854 | IN | |
| 2024-12-03 16:34:52 UTC | 1652 | IN |
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 5 |
| Start time: | 11:31:53 |
| Start date: | 03/12/2024 |
| Path: | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 882'600 bytes |
| MD5 hash: | 61518CFDED3109FAC04EE916AB275C26 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 13 |
| Start time: | 12:53:43 |
| Start date: | 03/12/2024 |
| Path: | C:\Users\user\Desktop\eAvqHiIsgR.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 882'600 bytes |
| MD5 hash: | 61518CFDED3109FAC04EE916AB275C26 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 19.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 16.3% |
| Total number of Nodes: | 1543 |
| Total number of Limit Nodes: | 47 |
Graph
Function 00403348 Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366stringcomfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004058BF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040646B Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027A1 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040390A Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402EA1 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040618A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406492 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402476 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405FDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405796 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401EC5 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405C90 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405761 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 701A2A38 Relevance: 1.6, APIs: 1, Instructions: 143memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040266D Relevance: 1.6, APIs: 1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040272B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040239C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D08 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D37 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 701A2921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403300 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 701A1215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040535C Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040460D Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 701A1A98 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406945 Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040711C Relevance: .3, Instructions: 300COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404B80 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042E6 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405D66 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 701A22F1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402DBA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004041E2 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 701A24D8 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404ACE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 701A1837 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004049C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402E3D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405192 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405AD6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 701A10E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405BF5 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|