Windows
Analysis Report
94e.exe
Overview
General Information
Detection
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 94e.exe (PID: 7556 cmdline:
"C:\Users\ user\Deskt op\94e.exe " MD5: E64509A606FEF02334A4B20D3DA84ECF) - cmd.exe (PID: 7600 cmdline:
"C:\Window s\System32 \cmd.exe" /c move Mo des Modes. cmd & Mode s.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7608 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7680 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7688 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 7732 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7740 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7776 cmdline:
cmd /c md 159893 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - extrac32.exe (PID: 7792 cmdline:
extrac32 / Y /E Beast iality MD5: 9472AAB6390E4F1431BAA912FCFF9707) - findstr.exe (PID: 7816 cmdline:
findstr /V "Patrick" Episode MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7832 cmdline:
cmd /c cop y /b ..\Pr oceedings + ..\Devia tion + ..\ Ds + ..\Li ved + ..\F ormed + .. \Twiki + . .\Shoot + ..\Retriev al + ..\Po unds + ..\ Roland H MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Held.com (PID: 7848 cmdline:
Held.com H MD5: 62D09F076E6E0240548C2F837536A46A) - cmd.exe (PID: 7880 cmdline:
cmd /k ech o [Interne tShortcut] > "C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ SecureKey. url" & ech o URL="C:\ Users\user \AppData\L ocal\Guard Key Soluti ons\Secure Key.js" >> "C:\Users \user\AppD ata\Roamin g\Microsof t\Windows\ Start Menu \Programs\ Startup\Se cureKey.ur l" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - choice.exe (PID: 7864 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- wscript.exe (PID: 8076 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\GuardKe y Solution s\SecureKe y.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) - SecureKey.com (PID: 8120 cmdline:
"C:\Users\ user\AppDa ta\Local\G uardKey So lutions\Se cureKey.co m" "C:\Use rs\user\Ap pData\Loca l\GuardKey Solutions \a" MD5: 62D09F076E6E0240548C2F837536A46A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
System Summary |
---|
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: Michael Haag: |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Author: Joe Security: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T16:21:09.127868+0100 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49736 | 101.99.94.64 | 2404 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T16:21:11.706246+0100 | 2803304 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 178.237.33.50 | 80 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | File source: |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00406301 | |
Source: | Code function: | 0_2_00406CC7 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | Suricata IDS: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | Windows user hook set: | Jump to behavior |
Source: | Code function: | 0_2_004050F9 |
Source: | Code function: | 0_2_004044D1 |
E-Banking Fraud |
---|
Source: | File source: |
System Summary |
---|
Source: | COM Object queried: | Jump to behavior |
Source: | Process Stats: |
Source: | Code function: | 0_2_004038AF |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_0040737E | |
Source: | Code function: | 0_2_00406EFE | |
Source: | Code function: | 0_2_004079A2 | |
Source: | Code function: | 0_2_004049A8 |
Source: | Dropped File: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_004044D1 |
Source: | Code function: | 0_2_004024FB |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Process created: |
Source: | Window detected: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00406328 |
Source: | Static PE information: |
Persistence and Installation Behavior |
---|
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | Last function: |
Source: | Code function: | 0_2_00406301 | |
Source: | Code function: | 0_2_00406CC7 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 0_2_00406328 |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00406831 |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 1 Scripting | Valid Accounts | 1 Windows Management Instrumentation | 1 Scripting | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 111 Input Capture | 3 File and Directory Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | 1 Native API | 1 DLL Side-Loading | 12 Process Injection | 1 Obfuscated Files or Information | LSASS Memory | 5 System Information Discovery | Remote Desktop Protocol | 111 Input Capture | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | 1 Command and Scripting Interpreter | 2 Registry Run Keys / Startup Folder | 2 Registry Run Keys / Startup Folder | 1 Software Packing | Security Account Manager | 1 Security Software Discovery | SMB/Windows Admin Shares | 1 Clipboard Data | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 111 Masquerading | LSA Secrets | 3 Process Discovery | SSH | Keylogging | 2 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 12 Process Injection | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
5% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
geoplugin.net | 178.237.33.50 | true | false | high | |
KPstIEdgjHZZFIeWPSSPTXW.KPstIEdgjHZZFIeWPSSPTXW | unknown | unknown | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
101.99.94.64 | unknown | Malaysia | 45839 | SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY | true | |
178.237.33.50 | geoplugin.net | Netherlands | 8455 | ATOM86-ASATOM86NL | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1579940 |
Start date and time: | 2024-12-23 16:19:48 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 8m 21s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 21 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 94e.exe |
Detection: | MAL |
Classification: | mal92.troj.spyw.expl.evad.winEXE@30/31@3/2 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- VT rate limit hit for: 94e.exe
Time | Type | Description |
---|---|---|
10:20:43 | API Interceptor | |
10:20:51 | API Interceptor | |
10:21:03 | API Interceptor | |
15:20:52 | Autostart |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
178.237.33.50 | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Cobalt Strike, Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
geoplugin.net | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Cobalt Strike, Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY | Get hash | malicious | Invicta Stealer, XWorm | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Outlook Phishing, HTMLPhisher | Browse |
| ||
Get hash | malicious | RMSRemoteAdmin | Browse |
| ||
Get hash | malicious | RMSRemoteAdmin | Browse |
| ||
ATOM86-ASATOM86NL | Get hash | malicious | Remcos | Browse |
| |
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Cobalt Strike, Remcos, DBatLoader | Browse |
| ||
Get hash | malicious | Remcos | Browse |
| ||
Get hash | malicious | Remcos | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com | Get hash | malicious | LummaC | Browse | ||
Get hash | malicious | Vidar | Browse | |||
Get hash | malicious | Vidar | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | Vidar | Browse | |||
Get hash | malicious | LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar | Browse | |||
Get hash | malicious | LummaC | Browse | |||
Get hash | malicious | LummaC | Browse |
Process: | C:\Users\user\AppData\Local\Temp\159893\Held.com |
File Type: | |
Category: | dropped |
Size (bytes): | 224 |
Entropy (8bit): | 3.384036122896332 |
Encrypted: | false |
SSDEEP: | 6:6lZXdNc15YcIeeDAlOWA7DxbN2fBMMm0v:6lIec0WItN25MMl |
MD5: | E543E00D252D96679CA2CA7F5E99D7BD |
SHA1: | 233E1E322130D1036507A614CB4166DA465BBD11 |
SHA-256: | BAB47B93B47B89C9A71C1EC006A500182A1811240FCBE0D9F0BCC4C867DD29D7 |
SHA-512: | 62F3D66C9EF05C327C4E8028C19077F319C6E7403CCD89CC66E5203B57ADB00AEDAA1B2E9DC20555989AB1248A606AA10B736C91B587FF624205509A3F84DFFB |
Malicious: | true |
Yara Hits: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\159893\Held.com |
File Type: | |
Category: | dropped |
Size (bytes): | 947288 |
Entropy (8bit): | 6.630612696399572 |
Encrypted: | false |
SSDEEP: | 24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK |
MD5: | 62D09F076E6E0240548C2F837536A46A |
SHA1: | 26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2 |
SHA-256: | 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49 |
SHA-512: | 32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\159893\Held.com |
File Type: | |
Category: | dropped |
Size (bytes): | 174 |
Entropy (8bit): | 4.725867201811104 |
Encrypted: | false |
SSDEEP: | 3:RiMIpGXIdPHo55wWAX+Ro6p4EkD5iQERuAcCO7525HDGf5uWAX+Ro6p4EkD5iQE2:RiJBJHonwWDKaJkDB+uAcrA5HDGfwWD0 |
MD5: | 39BB113575FB5F254534EB35FC5EBC9F |
SHA1: | 6A8AED82DC9A1AB3E3B3D873EA78C3190C8B9750 |
SHA-256: | 5529447ED271D1104A7658C52ABF9655D4718AEA8FD47D2CDBF9C593865116D4 |
SHA-512: | 04638B16F8DF7F998DCDA0262B0353F54A3FDB307178E6E7B28B0C0C3CC807F399DC6E4F3DEA423CA60693639D9193BB9E28FC160D4B8FCF7DB3A3E5F03E7094 |
Malicious: | true |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\159893\Held.com |
File Type: | |
Category: | dropped |
Size (bytes): | 723066 |
Entropy (8bit): | 7.99971143768294 |
Encrypted: | true |
SSDEEP: | 12288:7/EcxoEPQM/0CMPJJ4OeW9kQRxmcRUzO2erLbLZItAV+Y5x1C+vtvJQgq1erqzi:bEMvByr4T7WUz/PtYrDQs22 |
MD5: | 76BAFDA97331767C5B8B7A0E43A9599B |
SHA1: | 886E0F943FB4DB8C3364A17A397248B3FDDC0465 |
SHA-256: | ECE19359D4A00F3044836574E0822E68E6A2E998DF88D3E520273A57384DD500 |
SHA-512: | D72CA49B0A6B726DA5BD9E443831DFC73FAA4D28B95E1DD42A7C4E47C2DA1A741760065E6E194BB52EAED5BCFCFF4FE728DF3518723C6E27A4D540A6DF2F8E79 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\AppData\Local\Temp\159893\Held.com |
File Type: | |
Category: | dropped |
Size (bytes): | 963 |
Entropy (8bit): | 5.019205124979377 |
Encrypted: | false |
SSDEEP: | 12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro |
MD5: | B62617530A8532F9AECAA939B6AB93BB |
SHA1: | E4DE9E9838052597EB2A5B363654C737BA1E6A66 |
SHA-256: | 508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70 |
SHA-512: | A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 723066 |
Entropy (8bit): | 7.99971143768294 |
Encrypted: | true |
SSDEEP: | 12288:7/EcxoEPQM/0CMPJJ4OeW9kQRxmcRUzO2erLbLZItAV+Y5x1C+vtvJQgq1erqzi:bEMvByr4T7WUz/PtYrDQs22 |
MD5: | 76BAFDA97331767C5B8B7A0E43A9599B |
SHA1: | 886E0F943FB4DB8C3364A17A397248B3FDDC0465 |
SHA-256: | ECE19359D4A00F3044836574E0822E68E6A2E998DF88D3E520273A57384DD500 |
SHA-512: | D72CA49B0A6B726DA5BD9E443831DFC73FAA4D28B95E1DD42A7C4E47C2DA1A741760065E6E194BB52EAED5BCFCFF4FE728DF3518723C6E27A4D540A6DF2F8E79 |
Malicious: | true |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 947288 |
Entropy (8bit): | 6.630612696399572 |
Encrypted: | false |
SSDEEP: | 24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK |
MD5: | 62D09F076E6E0240548C2F837536A46A |
SHA1: | 26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2 |
SHA-256: | 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49 |
SHA-512: | 32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 487450 |
Entropy (8bit): | 7.998586208915222 |
Encrypted: | true |
SSDEEP: | 12288:cYicITtxnVTuCmmLgASzlukH+MG6hrLMtDLAWB1:HicIT3nV6aLSzlucay/wj |
MD5: | D621FCD09DA6814A53B15876CCBA0ABE |
SHA1: | 5CA5CC9205012129FCE9113E0EF0B1F61B619AFD |
SHA-256: | D825C78148DE5E945EECF001FB997CD834874629CFFC9F50E47281CB55092CF5 |
SHA-512: | 17A8ED82C7682184A8653BD9CA01939AB456DEAE006CC4E60DB1A0586BC36A96AB9A2216F3DE761ACA4A6D54682FF695F1BE96EF52BE44AF8CB53FF0C8CA91B8 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\extrac32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 114688 |
Entropy (8bit): | 5.77220123860665 |
Encrypted: | false |
SSDEEP: | 1536:XnHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusPS:3LeAg0Fuz08XvBNbjaAtsPS |
MD5: | 8CA9A025294269CFBA53E50219A81AC0 |
SHA1: | FDF5E3A40F5D7BD4EA9672107479A1F8063B2B74 |
SHA-256: | 802ED1EADE5979FA97A2D58F124BE2C960B63F5B058F353099F8F8D476B4767C |
SHA-512: | 7542DC4B8AAF0BF5549242B001ECCFBC8DEABEEA44F7106853EA69A33062B59C0D4C8F0C1D34A98E5B9DD3FACD387DDD3F604D944B660213360B9E96BC123CA3 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 51200 |
Entropy (8bit): | 7.996238475606983 |
Encrypted: | true |
SSDEEP: | 768:O9I98FaCRb9f9WDHinwGm+WmGqESjP3c0MyCe2TxbRMVJstxPzZDq0:O1VV9fsLinztWgrjPGw+1aJsh1 |
MD5: | 8124F527DBFF7A5CC677B149CB356730 |
SHA1: | A97B08DF47C71280627BB55AB96B23DF75C42648 |
SHA-256: | 9457ED336A38E78B4138E6D26F878253DA4C307A243E4B139C9E88D727A460CE |
SHA-512: | 0CC9C801A728F83A37472417DA7863F84E3DF6B3E0C8B762B15CA795ABECBBC840ABE2B0CD076CEEBFD11EA0A32E89EAE7EBDC623F9983CED25F07B888C87940 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 95232 |
Entropy (8bit): | 7.997942520192341 |
Encrypted: | true |
SSDEEP: | 1536:t2b1ARfLfRVYtMuRNWDJSkwF0Fog1XVeWdPPUdozlCxGl0F9O0BVMqTIjvquAqTE:kefLJVhYwW/g1X4WBPMqlCXBVP+9tI1 |
MD5: | C28DA53F6BBF741FE9E0C043E65AAFF4 |
SHA1: | 5C5E9D0D72A438F6A82F5C397CB963F943B32FB1 |
SHA-256: | 9722AE27DA0176B101D20C5DC6147568D4444E9787D34FA3CF59590A127DC059 |
SHA-512: | 43EE512B201A97AAC7937F7D5D73C1D0FDC435539482E37D0CA003B080B66F983D88DBC6B8E3363DBC5051593251CBB52D894830B008C26E3D31C884CCA0EE4A |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\extrac32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1942 |
Entropy (8bit): | 4.919498055550784 |
Encrypted: | false |
SSDEEP: | 48:f9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhQ:lSEA5O5W+MfH5Q |
MD5: | D9E3E192EDF72CE767F46FBE896089C4 |
SHA1: | 79406BA6BB66E5C0C2663986C166EFDAD0984381 |
SHA-256: | AFC0EFD869EA325703A26540F2CF237F20E93172E211994B9F0DD7A276FF7C66 |
SHA-512: | BDC0909B5A2EBF51560A739F1D10EBF1E583B4E2A0ADDC8112D693413EBC8FB452DAEB0BBC2F57F231DE22CC156B2535DF36C262743F65B1502BDDC0CB49DB6A |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\extrac32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 128000 |
Entropy (8bit): | 6.556800201639329 |
Encrypted: | false |
SSDEEP: | 3072:FJR8CThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTu7:F0CThp6vmVnjphfhnvO5bLezWW7 |
MD5: | 0F4A0EE961C82926D8A1778069855B35 |
SHA1: | 79114551FD7ABEF7523A092AB598B60E56AB451B |
SHA-256: | F80CF0617F6D4653994C386FB60E27FF609A028F4A4C3CDF21C2D308A94777E2 |
SHA-512: | 1E81D9824231AB2AABA63D433688638655E3F46B51AD6392985D95707CCFBA348A5A8C070031E90B4B1AE10278942D55141AB79B4755661BE7A393A84AED0FB4 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60416 |
Entropy (8bit): | 7.997147444325281 |
Encrypted: | true |
SSDEEP: | 1536:6L288nze+HpjWWoqb5QsJiRL1sLTaB0ExuZ/sD74651r:68e+JjoqF69z0Eksl9 |
MD5: | 9A00F2C2CFBD773F135325F4965EA2A2 |
SHA1: | 9A9118B81A6FCA0384571498A7BF77D6E16C517C |
SHA-256: | D227C97E4C1714BE49E7435D6DD021B008095C02DD6D89C1D173AEC29BA7CF43 |
SHA-512: | 7ED0CFF72666081B67AE52B58A6CEE74DA59FBCD2566E907C7316B2E904E4BE5BDDAC64F04CEDE064FC6FCC5A827E90A73BBB492E47825972E756B9E31CE2FAA |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\extrac32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 146432 |
Entropy (8bit): | 6.657550395522391 |
Encrypted: | false |
SSDEEP: | 3072:70Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtN/:ObfSCOMVIPPL/sZ7HS3zcN/ |
MD5: | 395D6096ADC5D6406C48E1AAFC7FB9B5 |
SHA1: | 59E054AD78E96F5FEFC6490B845CA59B6521BBB3 |
SHA-256: | E437F86BF1ADD3F4EDB30939DC8C09A0383D82A42311A77499209A3695871731 |
SHA-512: | 4EEE1173CAFDEA958B4C94FFD1F0FAC676414E37DE0F54C0E85719F9B2D637D3C6EC49B15A1962692E947E4CE340DB1515BF4BFE3CC689B180782CC84E9D90E6 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 75776 |
Entropy (8bit): | 7.997583208783649 |
Encrypted: | true |
SSDEEP: | 1536:i+5Gd7DIAqNgpMvErhsFBHSEYF4hMpKGTPiclwBgrpAMC:i+QdnIAqNgpMw+JImOTZWgrpAMC |
MD5: | 821B9AA3C5A294A53EB5B4F1372B6B51 |
SHA1: | B3505ADA427E3E8056DB3273EC9E763EDA134AC4 |
SHA-256: | 39948232580068EF60262BF6B3A1A71D3E3EA6EA105539CDDB09A8F51F576E36 |
SHA-512: | 66850E00173D670ED471DD7013BF67FDB6DF3A1B7481F4F3721FC8C18AB50876A35170630AE85A380ADF99CA2C8D45127F75B950587C991470BB10559F02D4C5 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 19377 |
Entropy (8bit): | 5.130473864787576 |
Encrypted: | false |
SSDEEP: | 384:RHGlqOVZsOi9/Ywk4Nig4qMnxo2OTjSvE9gu3I6:JGl9fzitYwB0y2OKEr3I6 |
MD5: | 1200E3ECD7A3B7EC27E8E718ACA1F694 |
SHA1: | 9EBB660EE1196BB429E8E99088A949B37B10DF05 |
SHA-256: | 88D7CFD10DEADF841664FD1B470C35482410E710B1CBE922B6CD39A4A4985CAC |
SHA-512: | BF1F58316A16122BC3B17588C723BC79E30E37C62D5220DD883F3E61385EFB04ECEAD33519A9360EC8145917DA1259FA60C61AE005A0249022B6AA1B456415FA |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 19377 |
Entropy (8bit): | 5.130473864787576 |
Encrypted: | false |
SSDEEP: | 384:RHGlqOVZsOi9/Ywk4Nig4qMnxo2OTjSvE9gu3I6:JGl9fzitYwB0y2OKEr3I6 |
MD5: | 1200E3ECD7A3B7EC27E8E718ACA1F694 |
SHA1: | 9EBB660EE1196BB429E8E99088A949B37B10DF05 |
SHA-256: | 88D7CFD10DEADF841664FD1B470C35482410E710B1CBE922B6CD39A4A4985CAC |
SHA-512: | BF1F58316A16122BC3B17588C723BC79E30E37C62D5220DD883F3E61385EFB04ECEAD33519A9360EC8145917DA1259FA60C61AE005A0249022B6AA1B456415FA |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\extrac32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 59392 |
Entropy (8bit): | 6.103315393934533 |
Encrypted: | false |
SSDEEP: | 1536:h/Dde6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h6R8K:h/Dde6u640ewy4Za9coRC2jfTq8K |
MD5: | A995F1E756BA60704A0BC0695B3F6582 |
SHA1: | 42A9CE336C104C880F9428E47E997C5C1920972B |
SHA-256: | 400EE81DB192007278B3153AB6A3DC8C2A654881A6C86AD1ECB32278E272F816 |
SHA-512: | E828BC2F302FA278DF87E1D521FFE8D965B26C8CE78EBA12034CC99F6E86F16C3A41BD20ACE2D1484E959039C9C7FCE27A588F7E2D8AEE3498426E5AD2179098 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\extrac32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 78848 |
Entropy (8bit): | 6.668205149160492 |
Encrypted: | false |
SSDEEP: | 1536:gUn9r5C03Eq30BcrTrhCX4aVmoJiKwtk2ukC5HRu+OoQjz7nts/M26N7oKzYkz:Hnj0nEoXnmowS2u5hVOoQ7t8T6pUkz |
MD5: | B70AB977308AA6EDB2CCB7AEF8D4F98B |
SHA1: | 3E67F9A3F99A296C51C3146C7CBA8C42353FE95D |
SHA-256: | 4A6E7B573C3BE4D1C87BECEBA3A76AD4BC743B8EDA49BA9A34E583E33957D311 |
SHA-512: | ED8AD6321B17FDA8F9DB45433B2DE24E3886B12336FE7DAB59C04317A1D1F521773C6F2E4E497216AEEA986A2F642EEAAD1285330D3D0E3195820564B61BF32C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 58368 |
Entropy (8bit): | 7.996809161333418 |
Encrypted: | true |
SSDEEP: | 768:kfaAb1YPzbkpiI6TqOHXcqUGAUKGPkcp1TiiMfcHIsOSp41Q0jCDWNzfYrqNR+me:kPpSD3lv1JBHI/S12fVr+2oHEsR |
MD5: | A73E519BCD9E1580C5E65054BDC226CF |
SHA1: | 644CA96C3E8FD9A72D1635ECECA35D94B9A8211C |
SHA-256: | 5319573E7DA1F1ABB3B7F744503330A281DC718E39E6C4024372FE0EC06F5021 |
SHA-512: | F2C22A525D9960C25AC45906DDEC9F198D641A48920D254FCB6A9CC7F04EDBC1AE58943720E6EB70E621CC9CCB3063ABD841A6E8CDC32A129806A20310B66C91 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 82944 |
Entropy (8bit): | 7.997628960976328 |
Encrypted: | true |
SSDEEP: | 1536:Ge6c7hJDUr41rdDggjZqXzRAB6RJMxr1WFiKxhuptNLPQMVoLyGqh64G5:n7Doc1rdDgcwXzCcJiZqiYWLPQMmfqhC |
MD5: | E30687F056039896A1359173B4116E28 |
SHA1: | CE6920DA90CAC568D3BDC099C7FD4C030251B2A8 |
SHA-256: | A5FBFF0D21A6405C2C4BA6A5AC06384B03D410C7A19840B68031DEDD75B5E14C |
SHA-512: | C196F2190A95AAA431078AE4770166B54362F8D81E43B4B7C5FDE72F8A00B0953CBAD3D424BC05FADF08AF1D073026085D3672987F527E9D6BA8C875448A7022 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 71680 |
Entropy (8bit): | 7.997179324824961 |
Encrypted: | true |
SSDEEP: | 1536:T3nBSPTSQYpYhHwst0DyN9DFVzQeTQi8SNA6ZqMgqdahezxz:TGHeYhHwy0D6vGe0lSNA6ZqMg+2c |
MD5: | 278C6DD8E3D5D995FE50EB916D200D02 |
SHA1: | 7CCC495E12E361BF0BB8DEE291628C185D31C6A7 |
SHA-256: | 819A54480238EDC0229D4B0205644C29235DB953A6131A705E7DF1C6B7AE3EC4 |
SHA-512: | 6A64F234DB89DE007715FF0F590DF053F3F615C9148A25C2E9F473B75ED05BB9892722E649AF2F7EE1C3AC8385C527C96380EF2C6EF3B9D1E53C91EDDDC745E0 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 50298 |
Entropy (8bit): | 7.99613692468593 |
Encrypted: | true |
SSDEEP: | 1536:hFHQ07HT8NN+dQ+qvofPo8gKBREZLOOwa1LVvq:hJQd+q1elNLEph11Ri |
MD5: | C1620A46FEF0BBED59C18556005B1986 |
SHA1: | 1E1600D89F142BC9CEE8FD2F1AFE61532DB00D35 |
SHA-256: | ED88E0D31612BDECAE0CF831FB04A2BA2869F446EC20071A71972F62DD4B8B30 |
SHA-512: | 6ACC752A7F91D5EAB8150BA57E8E7263595F1B970ACC13DCBD47F6569944F0154D65FAD3FA23A823A878E820F8C6B71303B0F69F190BA90CBC948EF21C3BD59C |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 97280 |
Entropy (8bit): | 7.998168543407867 |
Encrypted: | true |
SSDEEP: | 1536:HHbClViwNK3/gIqLn285ZctiVh7ZKcMvVycsdrp8Md9dQ2/lyK2MbB8A02WdZrnH:HHcqhWZZctmvKXwzxh3Vb9Lu1n/rXmte |
MD5: | FE61D20F8EA807D2D28D060A2E6ACC1F |
SHA1: | 87ABD4BDE99C223093B91AB0D6DCB6CDDB5B5B6E |
SHA-256: | 1A471AAFB9A68E0E4DC26D8F12568634CCDFE008EE97EE3894626B2B30CAA3EB |
SHA-512: | 69DC3EC1E44578D05E926A78950260A3F048DED5DB804AAB331B1227B2E0BAF2D876720CB69A29D25963A904D37533D9723DB036759950B70A78456131B7C54D |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\extrac32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 17609 |
Entropy (8bit): | 7.371268807427551 |
Encrypted: | false |
SSDEEP: | 384:cn929MwO/ChZrzmZGhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ3rw:cuO/ChgZ45VatJVEV3GPkjF |
MD5: | 38BEF07193B527F40E7E71A0C771055D |
SHA1: | CB8FADDAF8EE108F7779490E0F610CCAD52B4719 |
SHA-256: | 7CDCD51EDAF581B298C0A08DE9263BCE67F370662DC6CA30AC4B10F4162CA362 |
SHA-512: | 365D6E3AD4A9DA5482931C94627BC5C4088ACB41C00BB58F4FBF9677F9D38DA1C95AC6ED0BD886DB3E71F2961E9FB752EB99374FB68DA2C52C4D1E6B017C7143 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\extrac32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 152576 |
Entropy (8bit): | 5.695589464089253 |
Encrypted: | false |
SSDEEP: | 1536:YKaj6iTcPAsAhxjgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiq:e6whxjgarB/5elDWy4ZNoGmROL7F1Gj |
MD5: | 1EEFF55B8944B597022EDEAB744C5CC6 |
SHA1: | 81CFE19C86B91C7F6C3206CA82A8ECE25F47A8BA |
SHA-256: | A04705CBDD2094D92F256730C9ABDA047025C915BAA1D849A3D4D34934133B26 |
SHA-512: | FDA32B08EBAFFFB52D2E64CC9417211353F69E899A6408DD311EC0185750B7AA59AA57A4A64F0E112E25F59A2780167BAE03B804F70E0D0FEB36F903A0FFA9F1 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\extrac32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 103424 |
Entropy (8bit): | 6.256064666253063 |
Encrypted: | false |
SSDEEP: | 3072:LZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3l5:LK5vPeDkjGgQaE/l5 |
MD5: | 9B06EE62B4075EAD9252BCA0AB6B8E1F |
SHA1: | C5A46DE8EBC0CF59B3E9D853A19D81E46B39DB8E |
SHA-256: | 59E51175F590B56CAA0FAE3C0AC954FBF640DA5CF5115E13ACDDCD3ABCCEAE58 |
SHA-512: | D29CC82CFA31D2E1180B6B0B45B3EDAF030B743E877468EE6CD4019EF24C893ACFAB92D9295CC5970D08CCBFD7F28D37CE82074EA24386A7260E58AEB4B82FF7 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\94e.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 79872 |
Entropy (8bit): | 7.997367075027439 |
Encrypted: | true |
SSDEEP: | 1536:9uJYk3T028CTlAHsn6EG11bpfS2opiYP8nG2eO2Sr3MxHAbk2NQQTdyAk:9Qg280n011Nf1oIE8nGpO/r2udJTG |
MD5: | 6EC2D21CF20149100EAFE4E40FA64C02 |
SHA1: | E5A4642353BBEA58657E8DBDF86D6F44DAA8770D |
SHA-256: | 9DD82A22080A518BB655E69CFCAFBC0409E6D31CD7314476E781993811E2EC30 |
SHA-512: | 4379014C90B7737A6A8BB0723653091BB717F99730D66AE1F63EE66677A9160C6BD9DC90EBB8D9D8C72BA56DE7300A379204E50EE84AD2DA04B27A94198EB9C0 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\extrac32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 144384 |
Entropy (8bit): | 6.712192729639709 |
Encrypted: | false |
SSDEEP: | 3072:oW2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQSAU4C0:CUDtf0accB3gBmmLsiS+SAhC0 |
MD5: | 8DB05BAC1C4AE27F79F7F2DB347B7C78 |
SHA1: | A14626D92A263F61D6263C68B99C9C145757ED2A |
SHA-256: | BBD7E676F193BA52D8A37ACD1E586E69E6B498AEED8D35455141530AA8F61548 |
SHA-512: | 6F8E9787FC3287D2953FFEB1014ADC76FBA466D3FCE0A34A636708C45844BE60403E25A45A627068BD60DB32F76262474E2CEA2E7E48171AA73E9A1C730367B6 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url
Download File
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 92 |
Entropy (8bit): | 4.839128402679534 |
Encrypted: | false |
SSDEEP: | 3:HRAbABGQaFyw3pYot+kiE2J5iQRAcCG75SK:HRYF5yjowkn23iQRAcSK |
MD5: | F2BF87E173456FDDB25858FC2076C4BE |
SHA1: | 8B74ED5C53C9CFDD3B9C44C71C8AD5092AE53FF0 |
SHA-256: | 79354D98FA4033A9721D006DA98BB7AE327514EB950D21ED8DCF16FA2BDBCF5C |
SHA-512: | 932858A28435B9978AB482E20A05F6A91168B15D115AB510D46C5B149FC55E2A745B66A6BF4077DAF8E4F9C541F4BC46CB5913B97FE840C6FA837C92E2401395 |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 7.985524809121679 |
TrID: |
|
File name: | 94e.exe |
File size: | 1'820'231 bytes |
MD5: | e64509a606fef02334a4b20d3da84ecf |
SHA1: | 4277ab565325593bd91dea95976942f3b636747c |
SHA256: | 94e4256177777422e7ca3282075bb34480c9e235a1c5f3209918abfe1f341697 |
SHA512: | c7c5f8319ffb2a13cc424f8da11f0c0f794fb6496995d90a30222a9da71b882cffbf6d21343713d074cd7e1aaf3c2286998532cda50d77d6380395613a0f2317 |
SSDEEP: | 24576:m+e9sK6m7r7RXyzS0MzK8Y82mTn1fLSfl/AQB/Wa5zZtur9THsm7xqEBvBDNis:pe9iG/dyuzHYW14ZAQBlZtur9THNtvj9 |
TLSH: | 54853393AA0C9CC3DD838DB6A920666727F3FA5C6924D7075352C484F321D4B92627BF |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...r...B...8..... |
Icon Hash: | e1dcece4c4e47c58 |
Entrypoint: | 0x4038af |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | be41bf7b8cc010b614bd36bbca606973 |
Signature Valid: | false |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 0D637B42FF0AB3019673C4243305BD25 |
Thumbprint SHA-1: | 777A41024CF413CCB49B3434565545C0D78D80E9 |
Thumbprint SHA-256: | 3A0A9BD3CBF08E350DACBFCB54C53F00113D929DAD01AF4C9D5BFE37ACF9F352 |
Serial: | 062EE3FD7CDC52097C1DA6AFA87C745E |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push ebp |
push esi |
push edi |
push 00000020h |
xor ebp, ebp |
pop esi |
mov dword ptr [esp+18h], ebp |
mov dword ptr [esp+10h], 0040A268h |
mov dword ptr [esp+14h], ebp |
call dword ptr [00409030h] |
push 00008001h |
call dword ptr [004090B4h] |
push ebp |
call dword ptr [004092C0h] |
push 00000008h |
mov dword ptr [0047EB98h], eax |
call 00007F8F2D337E8Bh |
push ebp |
push 000002B4h |
mov dword ptr [0047EAB0h], eax |
lea eax, dword ptr [esp+38h] |
push eax |
push ebp |
push 0040A264h |
call dword ptr [00409184h] |
push 0040A24Ch |
push 00476AA0h |
call 00007F8F2D337B6Dh |
call dword ptr [004090B0h] |
push eax |
mov edi, 004CF0A0h |
push edi |
call 00007F8F2D337B5Bh |
push ebp |
call dword ptr [00409134h] |
cmp word ptr [004CF0A0h], 0022h |
mov dword ptr [0047EAB8h], eax |
mov eax, edi |
jne 00007F8F2D33545Ah |
push 00000022h |
pop esi |
mov eax, 004CF0A2h |
push esi |
push eax |
call 00007F8F2D337831h |
push eax |
call dword ptr [00409260h] |
mov esi, eax |
mov dword ptr [esp+1Ch], esi |
jmp 00007F8F2D3354E3h |
push 00000020h |
pop ebx |
cmp ax, bx |
jne 00007F8F2D33545Ah |
add esi, 02h |
cmp word ptr [esi], bx |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xac40 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x100000 | 0x80446 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x1b9717 | 0x2f30 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x86000 | 0x994 | .ndata |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x9000 | 0x2d0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x728c | 0x7400 | 419d4e1be1ac35a5db9c47f553b27cea | False | 0.6566540948275862 | data | 6.499708590628113 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x9000 | 0x2b6e | 0x2c00 | cca1ca3fbf99570f6de9b43ce767f368 | False | 0.3678977272727273 | data | 4.497932535153822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xc000 | 0x72b9c | 0x200 | 77f0839f8ebea31040e462523e1c770e | False | 0.279296875 | data | 1.8049406284608531 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x7f000 | 0x81000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x100000 | 0x80446 | 0x80600 | 587813348164d2664e6647eb84ef392c | False | 0.993720332278481 | data | 7.963310924450258 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x181000 | 0xfd6 | 0x1000 | 1e2daffa57cfb45ab40da9bc854a30b0 | False | 0.569091796875 | data | 5.3301846876241425 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x100268 | 0x7ba38 | PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced | English | United States | 0.9998124101543371 |
RT_ICON | 0x17bca0 | 0x2a4c | PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced | English | United States | 1.0010158847432582 |
RT_ICON | 0x17e6ec | 0x1128 | Device independent bitmap graphic, 32 x 64 x 32, image size 4352 | English | United States | 0.6741803278688525 |
RT_ICON | 0x17f814 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.774822695035461 |
RT_DIALOG | 0x17fc7c | 0x100 | data | English | United States | 0.5234375 |
RT_DIALOG | 0x17fd7c | 0x11c | data | English | United States | 0.6056338028169014 |
RT_DIALOG | 0x17fe98 | 0x60 | data | English | United States | 0.7291666666666666 |
RT_GROUP_ICON | 0x17fef8 | 0x3e | data | English | United States | 0.8387096774193549 |
RT_VERSION | 0x17ff38 | 0x238 | data | English | United States | 0.5264084507042254 |
RT_MANIFEST | 0x180170 | 0x2d6 | XML 1.0 document, ASCII text, with very long lines (726), with no line terminators | English | United States | 0.5647382920110193 |
DLL | Import |
---|---|
KERNEL32.dll | SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW |
USER32.dll | GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW |
GDI32.dll | SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject |
SHELL32.dll | SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation |
ADVAPI32.dll | RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW |
COMCTL32.dll | ImageList_AddMasked, ImageList_Destroy, ImageList_Create |
ole32.dll | CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance |
VERSION.dll | GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T16:21:09.127868+0100 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.4 | 49736 | 101.99.94.64 | 2404 | TCP |
2024-12-23T16:21:11.706246+0100 | 2803304 | ETPRO MALWARE Common Downloader Header Pattern HCa | 3 | 192.168.2.4 | 49738 | 178.237.33.50 | 80 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 23, 2024 16:21:07.641341925 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:21:07.761212111 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:07.763930082 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:21:07.769572020 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:21:07.889550924 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:09.083507061 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:09.127867937 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:21:09.323457003 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:09.331868887 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:21:09.452661991 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:09.452744961 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:21:09.572583914 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:09.908715963 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:09.910046101 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:21:10.029872894 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:10.100733042 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:10.235138893 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:21:10.310678005 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:21:10.433490992 CET | 80 | 49738 | 178.237.33.50 | 192.168.2.4 |
Dec 23, 2024 16:21:10.433727980 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:21:10.433866024 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:21:10.553463936 CET | 80 | 49738 | 178.237.33.50 | 192.168.2.4 |
Dec 23, 2024 16:21:11.706156969 CET | 80 | 49738 | 178.237.33.50 | 192.168.2.4 |
Dec 23, 2024 16:21:11.706245899 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:21:11.717955112 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:21:11.839953899 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:12.707031965 CET | 80 | 49738 | 178.237.33.50 | 192.168.2.4 |
Dec 23, 2024 16:21:12.707228899 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:21:20.898519993 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:20.900192022 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:21:21.020350933 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:50.916796923 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:21:50.918275118 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:21:51.038085938 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:22:20.949567080 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:22:20.951179981 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:22:21.071006060 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:22:50.970892906 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:22:50.972347975 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:22:51.092086077 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:23:00.165658951 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:23:00.547907114 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:23:01.235416889 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:23:02.532344103 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:23:05.048093081 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:23:10.047943115 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:23:19.844839096 CET | 49738 | 80 | 192.168.2.4 | 178.237.33.50 |
Dec 23, 2024 16:23:21.012177944 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:23:21.014357090 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:23:21.136359930 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:23:51.060815096 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:23:51.062110901 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:23:51.182858944 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:24:21.080691099 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:24:21.081940889 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:24:21.201500893 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:24:51.125269890 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Dec 23, 2024 16:24:51.126400948 CET | 49736 | 2404 | 192.168.2.4 | 101.99.94.64 |
Dec 23, 2024 16:24:51.246049881 CET | 2404 | 49736 | 101.99.94.64 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 23, 2024 16:20:52.027507067 CET | 58645 | 53 | 192.168.2.4 | 1.1.1.1 |
Dec 23, 2024 16:20:52.251633883 CET | 53 | 58645 | 1.1.1.1 | 192.168.2.4 |
Dec 23, 2024 16:21:04.169832945 CET | 58630 | 53 | 192.168.2.4 | 1.1.1.1 |
Dec 23, 2024 16:21:04.308515072 CET | 53 | 58630 | 1.1.1.1 | 192.168.2.4 |
Dec 23, 2024 16:21:10.164005041 CET | 58412 | 53 | 192.168.2.4 | 1.1.1.1 |
Dec 23, 2024 16:21:10.306775093 CET | 53 | 58412 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 23, 2024 16:20:52.027507067 CET | 192.168.2.4 | 1.1.1.1 | 0xd13c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 23, 2024 16:21:04.169832945 CET | 192.168.2.4 | 1.1.1.1 | 0x5f2 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Dec 23, 2024 16:21:10.164005041 CET | 192.168.2.4 | 1.1.1.1 | 0x5ecf | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 23, 2024 16:20:52.251633883 CET | 1.1.1.1 | 192.168.2.4 | 0xd13c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Dec 23, 2024 16:21:04.308515072 CET | 1.1.1.1 | 192.168.2.4 | 0x5f2 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Dec 23, 2024 16:21:10.306775093 CET | 1.1.1.1 | 192.168.2.4 | 0x5ecf | No error (0) | 178.237.33.50 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49738 | 178.237.33.50 | 80 | 7848 | C:\Users\user\AppData\Local\Temp\159893\Held.com |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Dec 23, 2024 16:21:10.433866024 CET | 71 | OUT | |
Dec 23, 2024 16:21:11.706156969 CET | 1171 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 10:20:43 |
Start date: | 23/12/2024 |
Path: | C:\Users\user\Desktop\94e.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1'820'231 bytes |
MD5 hash: | E64509A606FEF02334A4B20D3DA84ECF |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 10:20:43 |
Start date: | 23/12/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 10:20:43 |
Start date: | 23/12/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 10:20:46 |
Start date: | 23/12/2024 |
Path: | C:\Windows\SysWOW64\tasklist.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xef0000 |
File size: | 79'360 bytes |
MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 10:20:46 |
Start date: | 23/12/2024 |
Path: | C:\Windows\SysWOW64\findstr.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x670000 |
File size: | 29'696 bytes |
MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 10:20:46 |
Start date: | 23/12/2024 |
Path: | C:\Windows\SysWOW64\tasklist.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xef0000 |
File size: | 79'360 bytes |
MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 10:20:46 |
Start date: | 23/12/2024 |
Path: | C:\Windows\SysWOW64\findstr.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x670000 |
File size: | 29'696 bytes |
MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 10:20:47 |
Start date: | 23/12/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 10:20:47 |
Start date: | 23/12/2024 |
Path: | C:\Windows\SysWOW64\extrac32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd80000 |
File size: | 29'184 bytes |
MD5 hash: | 9472AAB6390E4F1431BAA912FCFF9707 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 9 |
Start time: | 10:20:48 |
Start date: | 23/12/2024 |
Path: | C:\Windows\SysWOW64\findstr.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x670000 |
File size: | 29'696 bytes |
MD5 hash: | F1D4BE0E99EC734376FDE474A8D4EA3E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 10 |
Start time: | 10:20:48 |
Start date: | 23/12/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 11 |
Start time: | 10:20:49 |
Start date: | 23/12/2024 |
Path: | C:\Users\user\AppData\Local\Temp\159893\Held.com |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa40000 |
File size: | 947'288 bytes |
MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Has exited: | false |
Target ID: | 12 |
Start time: | 10:20:49 |
Start date: | 23/12/2024 |
Path: | C:\Windows\SysWOW64\choice.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7f0000 |
File size: | 28'160 bytes |
MD5 hash: | FCE0E41C87DC4ABBE976998AD26C27E4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 13 |
Start time: | 10:20:49 |
Start date: | 23/12/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 14 |
Start time: | 10:20:50 |
Start date: | 23/12/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 16 |
Start time: | 10:21:00 |
Start date: | 23/12/2024 |
Path: | C:\Windows\System32\wscript.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff630c50000 |
File size: | 170'496 bytes |
MD5 hash: | A47CBE969EA935BDD3AB568BB126BC80 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 17 |
Start time: | 10:21:00 |
Start date: | 23/12/2024 |
Path: | C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x850000 |
File size: | 947'288 bytes |
MD5 hash: | 62D09F076E6E0240548C2F837536A46A |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Has exited: | true |
Execution Graph
Execution Coverage: | 17.5% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 21% |
Total number of Nodes: | 1482 |
Total number of Limit Nodes: | 25 |
Graph
Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040337F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 175fileCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004079A2 Relevance: .3, Instructions: 347COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040737E Relevance: .3, Instructions: 303COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004023F0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 83libraryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|