Edit tour
Windows
Analysis Report
MicrosoftWORD.exe
Overview
General Information
| Sample name: | MicrosoftWORD.exe |
| Analysis ID: | 1587444 |
| MD5: | 683c5db3796f6ef32a5598a9c442c6b0 |
| SHA1: | 39b40a2bb77bc0d46361dec3ecd69d1547b39e6d |
| SHA256: | cc3f501d414d5bb8fcbb3a4bcfb2b085b9e67a1e7739118f1b727a9336e16f74 |
| Tags: | exePrivateLoaderuser-zhuzhu0009 |
| Infos: |   |
 | |
Detection
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Allocates memory in foreign processes
Drops large PE files
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
MicrosoftWORD.exe (PID: 7880 cmdline: "C:\Users\ user\Deskt op\Microso ftWORD.exe " MD5: 683C5DB3796F6EF32A5598A9C442C6B0) 
csc.exe (PID: 8120 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
Compliance | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
System Summary | |
|---|
| Source: | File dump: | Jump to dropped file | ||
| Source: | Code function: | 3_2_04C944A3 | |
| Source: | Code function: | 3_2_04C944B0 | |
| Source: | Code function: | 3_2_0923E090 | |
| Source: | Code function: | 3_2_09232220 | |
| Source: | Code function: | 3_2_09231CA8 | |
| Source: | Code function: | 3_2_09232141 | |
| Source: | Code function: | 3_2_09232024 | |
| Source: | Code function: | 3_2_0923F0B0 | |
| Source: | Code function: | 3_2_09232099 | |
| Source: | Code function: | 3_2_092320C3 | |
| Source: | Code function: | 3_2_0923E3B7 | |
| Source: | Code function: | 3_2_09231C10 | |
| Source: | Code function: | 3_2_09231FDF | |
| Source: | Code function: | 3_2_0937FB40 | |
| Source: | Code function: | 3_2_0937FB0A | |
| Source: | Code function: | 3_2_0937FAD8 | |
| Source: | Code function: | 3_2_0937E508 | |
| Source: | Code function: | 3_2_09395988 | |
| Source: | Code function: | 3_2_09394CD8 | |
| Source: | Code function: | 3_2_09397BAE | |
| Source: | Code function: | 3_2_093933E0 | |
| Source: | Code function: | 3_2_093927C8 | |
| Source: | Code function: | 3_2_09395978 | |
| Source: | Code function: | 3_2_093939B0 | |
| Source: | Code function: | 3_2_093939A1 | |
| Source: | Code function: | 3_2_093939B0 | |
| Source: | Code function: | 3_2_093959C8 | |
| Source: | Code function: | 3_2_093950ED | |
| Source: | Code function: | 3_2_09394CCA | |
| Source: | Code function: | 3_2_09392B10 | |
| Source: | Code function: | 3_2_09397BF6 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | WMI Queries: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 3_2_091E4F5E | |
| Source: | Code function: | 3_2_0923311F | |
| Source: | Code function: | 3_2_0923A22F | |
| Source: | Code function: | 3_2_09231FB0 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00512345 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 131 Windows Management Instrumentation | 1 Registry Run Keys / Startup Folder | 31 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Registry Run Keys / Startup Folder | 11 Disable or Modify Tools | LSASS Memory | 131 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 141 Virtualization/Sandbox Evasion | Security Account Manager | 141 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 31 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 124 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 65% | Virustotal | Browse | ||
| 53% | ReversingLabs | Win32.Trojan.Leonem |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 5% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| newstaticfreepoint24.ddns-ip.net | 181.71.216.203 | true | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 181.71.216.203 | newstaticfreepoint24.ddns-ip.net | Colombia | 27831 | ColombiaMovilCO | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1587444 |
| Start date and time: | 2025-01-10 11:41:11 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 7s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | MicrosoftWORD.exe |
| Detection: | MAL |
| Classification: | mal84.evad.winEXE@3/1@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target MicrosoftWORD.exe, PID 7880 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtProtectVirtualMemory calls found.
| Time | Type | Description |
|---|---|---|
| 05:42:28 | API Interceptor | |
| 10:42:33 | Autostart | |
| 10:42:41 | Autostart |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 181.71.216.203 | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Remcos | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| newstaticfreepoint24.ddns-ip.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ColombiaMovilCO | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\MicrosoftWORD.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 959567321 |
| Entropy (8bit): | 0.10403134135261466 |
| Encrypted: | false |
| SSDEEP: | |
| MD5: | 2F50620BC392CD4467AF0774F20F0045 |
| SHA1: | 897E76B977A57DAE0E0A7BC32EF8C436248316E5 |
| SHA-256: | BB8B678F7382CE794161786A8E11C10986A6B8F24F55B2F3C9108B9871E266ED |
| SHA-512: | 7B11B49A72AA9157BC0FFDBEA67E03BCEE8741BB307F723856011F94476EAB83C2C6918E3AD3E6227BB2224B0075AD501D18027708AB9E09AE198FC964E06A40 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.664200167453047 |
| TrID: |
|
| File name: | MicrosoftWORD.exe |
| File size: | 7'432'192 bytes |
| MD5: | 683c5db3796f6ef32a5598a9c442c6b0 |
| SHA1: | 39b40a2bb77bc0d46361dec3ecd69d1547b39e6d |
| SHA256: | cc3f501d414d5bb8fcbb3a4bcfb2b085b9e67a1e7739118f1b727a9336e16f74 |
| SHA512: | d3ff24f43b4043f1cae00c79c6cf7418bc78012e37a2f28f42f96185d31ccc0f2f020e69803c0e29672b7db074fe9aaeade584d7cf4494951a59f60fc3dde261 |
| SSDEEP: | 98304:zWmwv0GCAR4IQrOWoqNm2T2Nr0WtpHW+WxUbSj8KSS:zWmwHCAcOWoqNm2E0WtlW+W6bCkS |
| TLSH: | AE767C71E283CC43E8A220BFE129A5FC51256E35E627C587B3C0FE2A70735D295E561B |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T....v...v...v....t..v....v..v....w..v.../...v..+(...v..+(..6v..+(..kv.......v...(...v.......v...v..;w...(..;v...(z..v...v...v. |
 | |
| Icon Hash: | 3368ccd64c69138e |
| Entrypoint: | 0x5116c7 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x66464B85 [Thu May 16 18:08:05 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 667cd4ebeeff36c77bc94683d50504ef |
| Instruction |
|---|
| call 00007EFD5889C43Eh |
| jmp 00007EFD5889B64Ch |
| push ebp |
| mov ebp, esp |
| push 00000000h |
| call dword ptr [0055B170h] |
| push dword ptr [ebp+08h] |
| call dword ptr [0055B2F0h] |
| push C0000409h |
| call dword ptr [0055B260h] |
| push eax |
| call dword ptr [0055B13Ch] |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 00000324h |
| push 00000017h |
| call 00007EFD58887EE8h |
| test eax, eax |
| je 00007EFD5889B7C7h |
| push 00000002h |
| pop ecx |
| int 29h |
| mov dword ptr [0059FD30h], eax |
| mov dword ptr [0059FD2Ch], ecx |
| mov dword ptr [0059FD28h], edx |
| mov dword ptr [0059FD24h], ebx |
| mov dword ptr [0059FD20h], esi |
| mov dword ptr [0059FD1Ch], edi |
| mov word ptr [0059FD48h], ss |
| mov word ptr [0059FD3Ch], cs |
| mov word ptr [0059FD18h], ds |
| mov word ptr [0059FD14h], es |
| mov word ptr [0059FD10h], fs |
| mov word ptr [0059FD0Ch], gs |
| pushfd |
| pop dword ptr [0059FD40h] |
| mov eax, dword ptr [ebp+00h] |
| mov dword ptr [0059FD34h], eax |
| mov eax, dword ptr [ebp+04h] |
| mov dword ptr [0059FD38h], eax |
| lea eax, dword ptr [ebp+08h] |
| mov dword ptr [0059FD44h], eax |
| mov eax, dword ptr [ebp-00000324h] |
| mov dword ptr [0059FC80h], 00010001h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x197c28 | 0x78 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1a6000 | 0x577fa0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1bf000 | 0xdda4 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x18a210 | 0x70 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x16acf8 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x15b000 | 0x398 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x197a80 | 0x80 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x15a000 | 0x159800 | 29eab12d8effad8d0b1170fcfb5a3918 | False | 0.5572596327785818 | data | 6.661013407705432 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x15b000 | 0x3f000 | 0x3e200 | eae27ead0dbaa6b546d3ad9e2f2eddf2 | False | 0.3670853244466801 | data | 5.085860438856158 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x19a000 | 0x9000 | 0x5600 | c5bd365bb50e696ac8174b61be590ccd | False | 0.2043059593023256 | data | 4.249683212440647 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .gfids | 0x1a3000 | 0x2000 | 0x1200 | db596309d3c1c15c9fe66b4080be2928 | False | 0.3784722222222222 | data | 4.026024095908803 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .tls | 0x1a5000 | 0x1000 | 0x200 | adb00c88d5919bab3c4b160cbf2abed5 | False | 0.03515625 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x1a6000 | 0x577fa0 | 0x578000 | 65a24c5551dd85360b88203996705aef | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_BITMAP | 0x1a6660 | 0x7028 | Device independent bitmap graphic, 448 x 16 x 32, image size 0 | 0.3149902479799387 | ||
| RT_BITMAP | 0x1ad688 | 0x72a24 | Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m | 0.5955807811901009 | ||
| RT_BITMAP | 0x2200ac | 0x72a24 | Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m | 0.5876751714443924 | ||
| RT_BITMAP | 0x292ad0 | 0x72a24 | Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m | 0.4681283809686076 | ||
| RT_BITMAP | 0x3054f4 | 0x67258 | PC bitmap, Windows 3.x format, 52864 x 2 x 54, image size 422942, cbSize 422488, bits offset 54 | 0.9915003503058075 | ||
| RT_ICON | 0x36c74c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.4716312056737589 |
| RT_ICON | 0x36cbb4 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.29174484052532834 |
| RT_ICON | 0x36dc5c | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.22863070539419086 |
| RT_ICON | 0x370204 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.20559754369390648 |
| RT_ICON | 0x37442c | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.15386549154146456 |
| RT_STRING | 0x384c54 | 0x6c | data | 0.6481481481481481 | ||
| RT_RCDATA | 0x384cc0 | 0x9d36 | PNG image data, 98 x 102, 8-bit/color RGBA, non-interlaced | 0.23204790538190131 | ||
| RT_RCDATA | 0x38e9f8 | 0x7a2b6 | data | 0.7525569237778924 | ||
| RT_RCDATA | 0x408cb0 | 0xc32ba | Delphi compiled form 'Tdm' | 0.34880500564160427 | ||
| RT_RCDATA | 0x4cbf6c | 0x9c27a | Delphi compiled form 'TdmMain' | 0.26150935726458313 | ||
| RT_RCDATA | 0x5681e8 | 0x1cc3e | Delphi compiled form '\017TFanTasticFrame\016FanTasticFrame' | 0.4461985028262973 | ||
| RT_RCDATA | 0x584e28 | 0xf7ece | Delphi compiled form 'TfPNGMessage' | 0.1253773995521427 | ||
| RT_RCDATA | 0x67ccf8 | 0x1ec66 | Delphi compiled form 'TfrmMain' | 0.16980024433972743 | ||
| RT_RCDATA | 0x69b960 | 0x5fd99 | Delphi compiled form '\023TOperationModeFrame\022OperationModeFrame' | 0.6852657023288274 | ||
| RT_GROUP_ICON | 0x6fb6fc | 0x4c | data | English | United States | 0.75 |
| RT_VERSION | 0x6fb748 | 0x34c | data | English | United States | 0.4372037914691943 |
| RT_ANIICON | 0x6fba94 | 0x221a2 | PC bitmap, Windows 3.x format, 18288 x 2 x 29, image size 140368, cbSize 139682, bits offset 54 | 0.9885668876447932 | ||
| RT_MANIFEST | 0x71dc38 | 0x365 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (809), with CRLF line terminators | English | United States | 0.48676639815880324 |
| DLL | Import |
|---|---|
| KERNEL32.dll | HeapAlloc, LoadLibraryW, GetSystemInfo, HeapReAlloc, DeleteFileW, DeleteFileA, GetVersionExA, WaitForSingleObjectEx, LoadLibraryA, CreateFileA, FlushViewOfFile, GetFileAttributesExW, GetFileAttributesA, GetDiskFreeSpaceA, FormatMessageW, GetTempPathA, Sleep, MultiByteToWideChar, HeapSize, HeapValidate, UnmapViewOfFile, GetVersionExW, GetFileAttributesW, GetTempPathW, UnlockFileEx, SetEndOfFile, GetFullPathNameA, SetFilePointer, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, InterlockedCompareExchange, GetFullPathNameW, HeapFree, HeapCreate, ReadFile, AreFileApisANSI, RaiseException, GetCurrentThreadId, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, SetLastError, GetConsoleCP, GetVersion, VerSetConditionMask, VerifyVersionInfoW, UnlockFile, DebugBreak, FindFirstFileW, CompareFileTime, FindNextFileW, FindClose, TerminateProcess, GetCurrentThread, SetThreadPriority, SetFileAttributesW, GetModuleFileNameW, GetTimeZoneInformation, GetSystemDirectoryW, HeapCompact, GlobalAlloc, GetLocalTime, CreateDirectoryW, GetCurrentDirectoryW, InitializeCriticalSectionAndSpinCount, SetUnhandledExceptionFilter, GetEnvironmentVariableW, SetEnvironmentVariableW, DuplicateHandle, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, SetThreadAffinityMask, ResumeThread, SetEvent, ResetEvent, ReleaseSemaphore, CreateEventW, CreateSemaphoreW, GetFileTime, GetSystemWow64DirectoryW, GlobalFree, DecodePointer, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, CreateFileMappingA, LocalFree, LockFileEx, GetFileSize, GetCurrentProcessId, GetProcessHeap, SystemTimeToFileTime, FreeLibrary, WideCharToMultiByte, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA, CreateFileMappingW, MapViewOfFile, QueryPerformanceCounter, GetTickCount, FlushFileBuffers, ReleaseMutex, CopyFileW, CreateMutexW, SetDllDirectoryW, GetExitCodeProcess, WaitForSingleObject, CreateProcessW, ExpandEnvironmentStringsW, IsWow64Process, OutputDebugStringW, GetFileSizeEx, WriteFile, CreateFileW, SizeofResource, LockResource, LoadResource, FindResourceW, CloseHandle, OpenProcess, GetProcAddress, GetModuleHandleW, GetCurrentProcess, GetLastError, SetStdHandle, WriteConsoleW, LoadLibraryExW, HeapDestroy, GetConsoleWindow, IsValidCodePage, FindFirstFileExW, SetFilePointerEx, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetFileType, GetACP, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, EncodePointer, GetCPInfo, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CompareStringW, LCMapStringW, GetLocaleInfoW, UnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, InitializeSListHead, CreateTimerQueue, SignalObjectAndWait, SwitchToThread, CreateThread, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, RegisterWaitForSingleObject, UnregisterWait, GetThreadTimes, FreeLibraryAndExitThread, GetModuleHandleA, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, RtlUnwind, ExitThread, GetModuleHandleExW |
| USER32.dll | ShowWindow, MessageBoxW |
| ADVAPI32.dll | ControlService, StartServiceW, CloseServiceHandle, QueryServiceStatusEx, OpenServiceW, OpenSCManagerW, GetTokenInformation, CryptReleaseContext, RegDeleteValueW, RegSetValueExW, RegDeleteKeyW, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorOwner, RegCreateKeyExW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, TreeResetNamedSecurityInfoW |
| SHELL32.dll | SHCreateDirectoryExW |
| SHLWAPI.dll | PathFindFileNameW, PathCombineA, PathAppendW, PathRemoveFileSpecW, PathIsDirectoryW, PathFileExistsW, PathCombineW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 11:42:29.354820967 CET | 49881 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:42:29.359671116 CET | 30203 | 49881 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:42:29.359791994 CET | 49881 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:42:29.396444082 CET | 49881 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:42:29.401330948 CET | 30203 | 49881 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:42:29.401463985 CET | 49881 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:42:29.406385899 CET | 30203 | 49881 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:42:50.746136904 CET | 30203 | 49881 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:42:50.746577978 CET | 49881 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:42:50.759140015 CET | 49881 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:42:50.765265942 CET | 30203 | 49881 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:42:51.434442997 CET | 49973 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:42:51.439441919 CET | 30203 | 49973 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:42:51.439519882 CET | 49973 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:42:51.440294027 CET | 49973 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:42:51.445128918 CET | 30203 | 49973 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:42:51.445379019 CET | 49973 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:42:51.450223923 CET | 30203 | 49973 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:12.824845076 CET | 30203 | 49973 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:12.824925900 CET | 49973 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:12.825089931 CET | 49973 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:12.829855919 CET | 30203 | 49973 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:12.932951927 CET | 49975 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:12.937918901 CET | 30203 | 49975 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:12.937999010 CET | 49975 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:12.938659906 CET | 49975 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:12.943489075 CET | 30203 | 49975 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:12.943564892 CET | 49975 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:12.948399067 CET | 30203 | 49975 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:34.322165012 CET | 30203 | 49975 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:34.322244883 CET | 49975 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:34.322444916 CET | 49975 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:34.327243090 CET | 30203 | 49975 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:34.433243990 CET | 49976 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:34.438285112 CET | 30203 | 49976 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:34.438369989 CET | 49976 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:34.439419031 CET | 49976 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:34.444166899 CET | 30203 | 49976 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:34.444258928 CET | 49976 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:34.449079037 CET | 30203 | 49976 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:55.804559946 CET | 30203 | 49976 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:55.805633068 CET | 49976 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:55.805769920 CET | 49976 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:55.810579062 CET | 30203 | 49976 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:55.917327881 CET | 49977 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:55.922456026 CET | 30203 | 49977 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:55.923232079 CET | 49977 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:55.923233032 CET | 49977 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:55.928235054 CET | 30203 | 49977 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:43:55.928289890 CET | 49977 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:43:55.933435917 CET | 30203 | 49977 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:44:11.184221029 CET | 49977 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:44:11.189791918 CET | 30203 | 49977 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:44:11.189881086 CET | 49977 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:44:11.195900917 CET | 30203 | 49977 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:44:11.555119991 CET | 49977 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:44:11.559984922 CET | 30203 | 49977 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:44:11.560039997 CET | 49977 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Jan 10, 2025 11:44:11.564800978 CET | 30203 | 49977 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:44:17.291228056 CET | 30203 | 49977 | 181.71.216.203 | 192.168.2.9 |
| Jan 10, 2025 11:44:17.291337013 CET | 49977 | 30203 | 192.168.2.9 | 181.71.216.203 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 10, 2025 11:42:29.305432081 CET | 61454 | 53 | 192.168.2.9 | 1.1.1.1 |
| Jan 10, 2025 11:42:29.351826906 CET | 53 | 61454 | 1.1.1.1 | 192.168.2.9 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 11:42:29.305432081 CET | 192.168.2.9 | 1.1.1.1 | 0x823f | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 10, 2025 11:42:29.351826906 CET | 1.1.1.1 | 192.168.2.9 | 0x823f | No error (0) | 181.71.216.203 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:42:04 |
| Start date: | 10/01/2025 |
| Path: | C:\Users\user\Desktop\MicrosoftWORD.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 7'432'192 bytes |
| MD5 hash: | 683C5DB3796F6EF32A5598A9C442C6B0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 05:42:24 |
| Start date: | 10/01/2025 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x640000 |
| File size: | 2'141'552 bytes |
| MD5 hash: | EB80BB1CA9B9C7F516FF69AFCFD75B7D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | moderate |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 9.9% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 32.1% |
| Total number of Nodes: | 28 |
| Total number of Limit Nodes: | 4 |
Graph
Function 0923E090 Relevance: 2.4, Strings: 1, Instructions: 1174COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923E3B7 Relevance: 1.7, Strings: 1, Instructions: 495COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0937FAD8 Relevance: 1.7, APIs: 1, Instructions: 160COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0937FB0A Relevance: 1.7, APIs: 1, Instructions: 159COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0937FB40 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09232220 Relevance: .4, Instructions: 438COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09395978 Relevance: .3, Instructions: 318COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09395988 Relevance: .3, Instructions: 311COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09394CCA Relevance: .3, Instructions: 307COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09394CD8 Relevance: .3, Instructions: 305COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09397BAE Relevance: .3, Instructions: 301COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093959C8 Relevance: .3, Instructions: 289COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093933E0 Relevance: .3, Instructions: 266COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093927C8 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093950ED Relevance: .2, Instructions: 223COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09231CA8 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04C9CA18 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923D5B8 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923D5A7 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04C9CBC8 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09360078 Relevance: .6, Instructions: 597COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09396D50 Relevance: .5, Instructions: 548COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09360810 Relevance: .4, Instructions: 362COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093969A8 Relevance: .3, Instructions: 296COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093933D4 Relevance: .3, Instructions: 262COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093927BC Relevance: .2, Instructions: 234COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923D108 Relevance: .2, Instructions: 217COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09236CD8 Relevance: .2, Instructions: 205COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09235D48 Relevance: .2, Instructions: 185COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09360CC8 Relevance: .2, Instructions: 183COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 092322B2 Relevance: .2, Instructions: 176COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 091EFAE0 Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 092322D0 Relevance: .2, Instructions: 162COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09236A39 Relevance: .2, Instructions: 161COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923B9D0 Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923F740 Relevance: .1, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923C3E8 Relevance: .1, Instructions: 135COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093961A8 Relevance: .1, Instructions: 128COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 092360DB Relevance: .1, Instructions: 125COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09398088 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923C9F0 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923D428 Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093965D1 Relevance: .1, Instructions: 113COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093965E0 Relevance: .1, Instructions: 105COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923C278 Relevance: .1, Instructions: 98COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09390C1C Relevance: .1, Instructions: 94COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923E07F Relevance: .1, Instructions: 93COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923C3D9 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09390C28 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09398079 Relevance: .1, Instructions: 90COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923AF80 Relevance: .1, Instructions: 88COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093949E1 Relevance: .1, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923AF90 Relevance: .1, Instructions: 83COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09394132 Relevance: .1, Instructions: 82COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923B0D4 Relevance: .1, Instructions: 81COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0939810E Relevance: .1, Instructions: 77COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09398247 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09236855 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923F8F0 Relevance: .1, Instructions: 75COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923C180 Relevance: .1, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923B700 Relevance: .1, Instructions: 71COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923C190 Relevance: .1, Instructions: 67COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923CB31 Relevance: .1, Instructions: 60COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923C8A9 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923C77A Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093982F0 Relevance: .1, Instructions: 54COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09395850 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09396900 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09398300 Relevance: .0, Instructions: 47COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093938D0 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09395860 Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09396910 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 091E6D3C Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923BBB2 Relevance: .0, Instructions: 40COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 091E1071 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09396D40 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09238A83 Relevance: .0, Instructions: 37COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923BC18 Relevance: .0, Instructions: 37COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09232F51 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 091E1080 Relevance: .0, Instructions: 34COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093949F0 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923ACC0 Relevance: .0, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09232620 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09394BB0 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 091E1332 Relevance: .0, Instructions: 31COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923DF80 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09394BC0 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09395929 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09236A08 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09395938 Relevance: .0, Instructions: 20COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923B651 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093938E0 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923B6A0 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093968D0 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 091E8D0A Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923B658 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 092378CC Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09232D08 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09395E52 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09396D18 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923CB10 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09233C5C Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 092369AF Relevance: .0, Instructions: 7COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09238FCE Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923ACF0 Relevance: .0, Instructions: 5COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 091E1C48 Relevance: .0, Instructions: 5COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0937E508 Relevance: .5, Instructions: 456COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0923F0B0 Relevance: .4, Instructions: 367COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09392B10 Relevance: .3, Instructions: 281COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09397BF6 Relevance: .3, Instructions: 257COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 092320C3 Relevance: .2, Instructions: 171COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093939A1 Relevance: .2, Instructions: 171COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 093939B0 Relevance: .2, Instructions: 170COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09232024 Relevance: .2, Instructions: 167COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09232141 Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09231FDF Relevance: .2, Instructions: 155COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09231C10 Relevance: .2, Instructions: 153COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04C944A3 Relevance: .2, Instructions: 152COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 04C944B0 Relevance: .1, Instructions: 149COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 09232099 Relevance: .1, Instructions: 148COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|