Windows
Analysis Report
4AMVusDMPP.exe
Overview
General Information
Sample name: | 4AMVusDMPP.exerenamed because original name is a hash value |
Original sample name: | 815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a.exe |
Analysis ID: | 1588355 |
MD5: | ed6f1c14e085e4fbc7c47f894f2140b9 |
SHA1: | 1757c800b765345d51a261e11ebe1d89f05c4865 |
SHA256: | 815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a |
Tags: | exeGuLoaderuser-adrian__luca |
Infos: | |
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 4AMVusDMPP.exe (PID: 4492 cmdline:
"C:\Users\ user\Deskt op\4AMVusD MPP.exe" MD5: ED6F1C14E085E4FBC7C47F894F2140B9) - 4AMVusDMPP.exe (PID: 4216 cmdline:
"C:\Users\ user\Deskt op\4AMVusD MPP.exe" MD5: ED6F1C14E085E4FBC7C47F894F2140B9) - WerFault.exe (PID: 7092 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 216 -s 253 6 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-11T01:15:33.617639+0100 | 2803270 | 2 | Potentially Bad Traffic | 192.168.2.10 | 49708 | 142.250.181.238 | 443 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_0040672B | |
Source: | Code function: | 0_2_00405AFA | |
Source: | Code function: | 0_2_00402868 | |
Source: | Code function: | 3_2_00402868 | |
Source: | Code function: | 3_2_0040672B | |
Source: | Code function: | 3_2_00405AFA |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | DNS query: |
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | 0_2_0040558F |
Source: | Code function: | 0_2_004034A5 | |
Source: | Code function: | 3_2_004034A5 |
Source: | Code function: | 0_2_00404DCC | |
Source: | Code function: | 0_2_00406AF2 | |
Source: | Code function: | 0_2_6EAB1B5F | |
Source: | Code function: | 3_2_00404DCC | |
Source: | Code function: | 3_2_00406AF2 | |
Source: | Code function: | 3_2_00162DD1 |
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Code function: | 0_2_004034A5 | |
Source: | Code function: | 3_2_004034A5 |
Source: | Code function: | 0_2_00404850 |
Source: | Code function: | 0_2_00402104 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: |
Source: | Code function: | 0_2_6EAB1B5F |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | API/Special instruction interceptor: | ||
Source: | API/Special instruction interceptor: |
Source: | RDTSC instruction interceptor: | ||
Source: | RDTSC instruction interceptor: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | 0_2_0040672B | |
Source: | Code function: | 0_2_00405AFA | |
Source: | Code function: | 0_2_00402868 | |
Source: | Code function: | 3_2_00402868 | |
Source: | Code function: | 3_2_0040672B | |
Source: | Code function: | 3_2_00405AFA |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | API call chain: | graph_0-4554 | ||
Source: | API call chain: | graph_0-4710 |
Source: | Code function: | 0_2_6EAB1B5F |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_004034A5 |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | OS Credential Dumping | 211 Security Software Discovery | Remote Services | 1 Archive Collected Data | 11 Encrypted Channel | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 11 Process Injection | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | 1 Clipboard Data | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Disable or Modify Tools | Security Account Manager | 1 System Network Configuration Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Access Token Manipulation | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | 13 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Process Injection | LSA Secrets | 214 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Deobfuscate/Decode Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Obfuscated Files or Information | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 1 DLL Side-Loading | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
61% | ReversingLabs | Win32.Trojan.Guloader | ||
100% | Avira | HEUR/AGEN.1337946 |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
drive.google.com | 142.250.181.238 | true | false | high | |
drive.usercontent.google.com | 172.217.16.193 | true | false | high | |
checkip.dyndns.com | 193.122.130.0 | true | false | high | |
checkip.dyndns.org | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
142.250.181.238 | drive.google.com | United States | 15169 | GOOGLEUS | false | |
193.122.130.0 | checkip.dyndns.com | United States | 31898 | ORACLE-BMC-31898US | false | |
172.217.16.193 | drive.usercontent.google.com | United States | 15169 | GOOGLEUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1588355 |
Start date and time: | 2025-01-11 01:13:43 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 6m 45s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 4AMVusDMPP.exerenamed because original name is a hash value |
Original Sample Name: | 815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a.exe |
Detection: | MAL |
Classification: | mal76.troj.evad.winEXE@4/13@3/3 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 20.189.173.22, 4.175.87.197, 40.126.32.134, 13.107.246.45
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target 4AMVusDMPP.exe, PID 4216 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: 4AMVusDMPP.exe
Time | Type | Description |
---|---|---|
19:16:01 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
193.122.130.0 | Get hash | malicious | Snake Keylogger | Browse |
| |
Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | MassLogger RAT | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | MassLogger RAT | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
checkip.dyndns.com | Get hash | malicious | Snake Keylogger | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | MassLogger RAT | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | MassLogger RAT | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ORACLE-BMC-31898US | Get hash | malicious | Snake Keylogger | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | PureLog Stealer, Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | MassLogger RAT | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | GuLoader | Browse |
| |
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | GuLoader, MassLogger RAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | GuLoader, MassLogger RAT | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\nsc34E8.tmp\System.dll | Get hash | malicious | GuLoader, MassLogger RAT | Browse | ||
Get hash | malicious | GuLoader | Browse | |||
Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
Get hash | malicious | GuLoader, MassLogger RAT | Browse | |||
Get hash | malicious | GuLoader, MassLogger RAT | Browse |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_4AMVusDMPP.exe_61cb2be0a118b477e74e579cc06ebecc946bdf_a4a520bb_3548f4db-b40a-4ded-89e9-2a6ecf066170\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.2246975261220179 |
Encrypted: | false |
SSDEEP: | 192:IZGZ1ZcgbT0BU/rSdjYmFrvumKzuiF7Z24IO8aj:h1ZcKABU/rSdjnumKzuiF7Y4IO8aj |
MD5: | 0C976B8E75C04B16EEC7E2CCDB325E20 |
SHA1: | C357B4CCA00833E2DCCD951B914332B19FC07895 |
SHA-256: | 98144B5E1ED499CE582D02FACB0CE306BAED470AD096BCE1D40D2A1E6EF80BDB |
SHA-512: | EA5441B8D4BBAF94DA42ECB046B28B9BA649981996B9B59D9A740A80DA257742D50522C408368DAD526906F159292CD4587D8EB9A89116E708295CF3408A88C1 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 280554 |
Entropy (8bit): | 3.758471502062987 |
Encrypted: | false |
SSDEEP: | 3072:S4MT45X6yw5gZyp6L4uEqqzTLTgQpdPrWe:TOL2ZywL4fjTgSdJ |
MD5: | 255AC1826754DA840B69C25D47DD7BFB |
SHA1: | A096F18A04195709A8DC380AF67E64C073E7C6CF |
SHA-256: | 956215038FD2FA2B9DB4689A3EA03EDDD78CE8040C8BE45A8C9E19078FEB05A2 |
SHA-512: | 9C2BEB6EFE1B74CBDC19023B9A1765CFD23F2832257B5712C9B76AEF81133C7FD3A6BE8D566F03E6B5E1489469045C8025B91B7A1BECCDCD4AA88F53FCF03D0C |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6338 |
Entropy (8bit): | 3.724583943526375 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJ5X6IZ0YU40dprR889b6Ksft+m:R6lXJJ6IZ0YU40xp6pfN |
MD5: | 0F0BC28A956194AAAE53DBE29ED4DD2A |
SHA1: | BDA1295CF3E702B2B953BA657E8B410449170373 |
SHA-256: | 7D26FA3C7DAD230C2041586ADCAB88366B51F49B54E023EF681554AB8B5B363B |
SHA-512: | C571EDA62E51E15AB504E0DAE920AED5E45885D71D45CA52D84282901149E68B461EADED1A57A2C015D5612E09AF3790068D08417B44E462307BB13ACC9243A8 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4672 |
Entropy (8bit): | 4.504038271592486 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsTJg77aI9VqWpW8VYMYm8M4JbjFC+q8wh0wjwQRd:uIjftI7HL7VIJw/0wMQRd |
MD5: | 222F5A0662A9F6BE1C3A03890A096681 |
SHA1: | 5522AAF1A9694BA7D11701D564F2FD958CBD1E60 |
SHA-256: | C140E884C1A786368045B0CB61C21BE21F98EC1023A413552709D31AD6A7234E |
SHA-512: | BFEC5BAECA13C9F71747D9E5DEE297981F07692103757F344BBB9EE2870BC256CC89044F11C0F63F7F03217373EA887E3E2422DD28DF4ACBDDB97BA0AA3CB736 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 484658 |
Entropy (8bit): | 7.809711763657168 |
Encrypted: | false |
SSDEEP: | 12288:W1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DB:Wo3xX3y4bz2lWwWo6rSTZyd |
MD5: | 5C727AE28F0DECF497FBB092BAE01B4E |
SHA1: | AADE364AE8C2C91C6F59F85711B53078FB0763B7 |
SHA-256: | 77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80 |
SHA-512: | 5246C0FBA41DF66AF89D986A3CEABC99B61DB9E9C217B28B2EC18AF31E3ED17C865387223CEB3A38A804243CF3307E07E557549026F49F52829BEBC4D4546C40 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 112291 |
Entropy (8bit): | 1.249420131631438 |
Encrypted: | false |
SSDEEP: | 768:5R+BCpkJWjYWL2MxTVLvUjpGqik9JiAfWA2DBQwD1PzUH+HYZmIo7x31sT:WCZY21w0I2NZYD |
MD5: | 4D1D72CFC5940B09DFBD7B65916F532E |
SHA1: | 30A45798B534842002B103A36A3B907063F8A96C |
SHA-256: | 479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496 |
SHA-512: | 048844A09E291903450188715BCDDF14F0F1F10BEAFBD005882EBF5D5E31A71D8F93EEBE788BD54B4AED2266C454F4DCA18AF4567977B7E773BBE29A38DEA45B |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 286225 |
Entropy (8bit): | 7.710114949306163 |
Encrypted: | false |
SSDEEP: | 6144:tIDUHdfSOxO7G+xkFHmRKJCbqkLdzd2DI22C9pYV:t5xhC/6FHQGwqmB+I6S |
MD5: | 34F265250B7ED15DC0990A62F24E4D46 |
SHA1: | 9B704DA4147DFCF5A8E79E6510344D69BFD4DA51 |
SHA-256: | ED4A13E1A9C95FCE5A54AB84B479D07F8900E58C6A4B4CE71D442FA3171F4FF4 |
SHA-512: | C990A4472DB4D9EE7E766DE924AB2A843971BC1624C8A79099709B27BBA04B5223C47362588C1DFD835CD45E14CD03E5D8BD17BC198858BB6AD38DCE316734D0 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 362089 |
Entropy (8bit): | 1.23992084267325 |
Encrypted: | false |
SSDEEP: | 768:xOeaameETrlE0+1mGOWb3h5WAV0hW+JSLSwzj2HlSdL0f6mhKZRaqOzWz6szt3cA:x+ds5dYOVxIW3hhdeRt6MeZ1W4vB |
MD5: | A4340182CDDD2EC1F1480360218343F9 |
SHA1: | 50EF929FEA713AA6FCC05E8B75F497B7946B285B |
SHA-256: | B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3 |
SHA-512: | 021F198AFF7CCED92912C74FC97D1919A9E059F22E99AB1236FBAA36C16B520C07B78F47FC01FCFAC1B53A87CDAE3E440D0589FA2844612617FAB2EDB64A3573 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 139354 |
Entropy (8bit): | 1.2473328695625903 |
Encrypted: | false |
SSDEEP: | 768:9OsMSh8lSnJGyUzWZsO2ipzPFmDZC9kpzroto48tf2+5lVp:9delFlqNawgJp |
MD5: | B0FB6B583D6902DE58E1202D12BA4832 |
SHA1: | 7F585B5C3A4581CE76E373C78A6513F157B20480 |
SHA-256: | E6EA5F6D0C7F5FA407269C7F4FF6D97149B7611071BF5BF6C454B810501AE661 |
SHA-512: | E0894FFBD76C3476DC083DAFD24F88964BF6E09E4CA955766B43FE73A764A00247C930E9996652A22B57B27826CD94F88B8178514060CA398DE568675F9E4571 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29090 |
Entropy (8bit): | 4.557557000479259 |
Encrypted: | false |
SSDEEP: | 768:pHSuQk1y9dJm5jpRjBzovMg5UmxBCedq+:pHb0yRjB5ga+r3 |
MD5: | E6704DB94EBC651D67A06C37F49BE45B |
SHA1: | 291DDC7027CB3DEE53C9D67B2EA8200AF11352D2 |
SHA-256: | EB2552A216C6B17EDCD5C758F162A778047B8EB25F7927C48591FBE87F7EF21C |
SHA-512: | 4DAB316D438F748E21CCD8865D43BE332712A3BA2A12B7C53FB023E8D59F0429D39E03702E9C20A82B02ECD27133107C448722354E41E382949819EEEBC87542 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12288 |
Entropy (8bit): | 5.719859767584478 |
Encrypted: | false |
SSDEEP: | 192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6 |
MD5: | 0D7AD4F45DC6F5AA87F606D0331C6901 |
SHA1: | 48DF0911F0484CBE2A8CDD5362140B63C41EE457 |
SHA-256: | 3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA |
SHA-512: | C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9 |
Malicious: | false |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\Desktop\4AMVusDMPP.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1439902 |
Entropy (8bit): | 5.50423023217672 |
Encrypted: | false |
SSDEEP: | 24576:vI5xhHFHNZm2Ro3xX3y4bz2lWwWo6rSTZye:+tZtRoBXbz2luo6rS1ye |
MD5: | C0586E009617EADA0D82E3C7809D4169 |
SHA1: | DE3E11D2209A23DEECC8CBA975042CBAD8E49C5F |
SHA-256: | 7A3A77EEC2C93A1792B7B2D3BE81E4E3A8296AC20798B163876B768480E8396F |
SHA-512: | ECF2323E8C6AE3438A1BF87DAFFD8910512B02E8C94FA0244192B2DA2DD7711F58135D98A1C9D2316CD19A8C0B6354D8D7D198F84683655EC16212D3997026E3 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.295990285181049 |
Encrypted: | false |
SSDEEP: | 6144:h41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+2lmBMZJh1Vjf:W1/YCW2AoQ0Ni4lwMHrVL |
MD5: | 3CCC3287BCB60DED9FA787DAE0C296B9 |
SHA1: | 71FD298E387E0FC66E19500712EBE9E9442448B7 |
SHA-256: | 6EE500FBFA3047079E0804EE90AC7C0EA37A23DFC5769883F0E98B954B7DC6D2 |
SHA-512: | 1805137C28E7E0E665500880305A8D405449BDDCA30BCDCAD71B1060BD30A99E9A2BCBB357C6ACC89B1575965CDBC5BF25236B426F0D3BF0910148B0C6F691E7 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.958154658093199 |
TrID: |
|
File name: | 4AMVusDMPP.exe |
File size: | 997'399 bytes |
MD5: | ed6f1c14e085e4fbc7c47f894f2140b9 |
SHA1: | 1757c800b765345d51a261e11ebe1d89f05c4865 |
SHA256: | 815d6b508fab5d16a8190a479fb4b72a3916d9afe21393eeb506098cb1a93c3a |
SHA512: | 2b4e7c8669272fd353516d9ba3931536106d480fa11731b445715830098f3f74884f661702bdf25e3d50d1424920f08e1743b2ff4ca65291f3a8f3f98c7fe385 |
SSDEEP: | 24576:9jwKCNd9QdnQK3gxR4Fm9/brSz8pCKDzJyhb1hy5xVgQ7O:V1CqnQc6YKPJyhbzyziV |
TLSH: | 0025230BF5C3EDAFC5A7C83598B65A97E8BBAD032480D143B374361E5C752E18826793 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*..... |
Icon Hash: | 46224e4c19391d03 |
Entrypoint: | 0x4034a5 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 1f23f452093b5c1ff091a2f9fb4fa3e9 |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+14h], ebx |
mov dword ptr [esp+10h], 0040A230h |
mov dword ptr [esp+1Ch], ebx |
call dword ptr [004080ACh] |
call dword ptr [004080A8h] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [0042A24Ch], eax |
je 00007F2D888139E3h |
push ebx |
call 00007F2D88816CADh |
cmp eax, ebx |
je 00007F2D888139D9h |
push 00000C00h |
call eax |
mov esi, 004082B0h |
push esi |
call 00007F2D88816C27h |
push esi |
call dword ptr [00408150h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], 00000000h |
jne 00007F2D888139BCh |
push 0000000Ah |
call 00007F2D88816C80h |
push 00000008h |
call 00007F2D88816C79h |
push 00000006h |
mov dword ptr [0042A244h], eax |
call 00007F2D88816C6Dh |
cmp eax, ebx |
je 00007F2D888139E1h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007F2D888139D9h |
or byte ptr [0042A24Fh], 00000040h |
push ebp |
call dword ptr [00408044h] |
push ebx |
call dword ptr [004082A0h] |
mov dword ptr [0042A318h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebx |
push 004216E8h |
call dword ptr [00408188h] |
push 0040A384h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8504 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x55000 | 0x21068 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6409 | 0x6600 | bfe2b726d49cbd922b87bad5eea65e61 | False | 0.6540287990196079 | data | 6.416186322230332 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x1396 | 0x1400 | d45dcba8ca646543f7e339e20089687e | False | 0.45234375 | data | 5.154907432640367 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x20358 | 0x600 | 8575fc5e872ca789611c386779287649 | False | 0.5026041666666666 | data | 4.004402321344153 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x2b000 | 0x2a000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x55000 | 0x21068 | 0x21200 | 03ed2ed76ba15352dac9e48819696134 | False | 0.8714696344339623 | data | 7.556190648348207 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_BITMAP | 0x554c0 | 0x368 | Device independent bitmap graphic, 96 x 16 x 4, image size 768 | English | United States | 0.23623853211009174 |
RT_ICON | 0x55828 | 0xc2a3 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9966684729162903 |
RT_ICON | 0x61ad0 | 0x86e0 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.990210843373494 |
RT_ICON | 0x6a1b0 | 0x5085 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9867559307233299 |
RT_ICON | 0x6f238 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.4358921161825726 |
RT_ICON | 0x717e0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.4896810506566604 |
RT_ICON | 0x72888 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.5367803837953091 |
RT_ICON | 0x73730 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.6913357400722022 |
RT_ICON | 0x73fd8 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States | 0.38597560975609757 |
RT_ICON | 0x74640 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.4934971098265896 |
RT_ICON | 0x74ba8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.651595744680851 |
RT_ICON | 0x75010 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.46908602150537637 |
RT_ICON | 0x752f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.5472972972972973 |
RT_DIALOG | 0x75420 | 0x120 | data | English | United States | 0.53125 |
RT_DIALOG | 0x75540 | 0x118 | data | English | United States | 0.5678571428571428 |
RT_DIALOG | 0x75658 | 0x120 | data | English | United States | 0.5104166666666666 |
RT_DIALOG | 0x75778 | 0xf8 | data | English | United States | 0.6330645161290323 |
RT_DIALOG | 0x75870 | 0xa0 | data | English | United States | 0.6125 |
RT_DIALOG | 0x75910 | 0x60 | data | English | United States | 0.7291666666666666 |
RT_GROUP_ICON | 0x75970 | 0xae | data | English | United States | 0.6091954022988506 |
RT_VERSION | 0x75a20 | 0x308 | data | English | United States | 0.47036082474226804 |
RT_MANIFEST | 0x75d28 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States | 0.5542168674698795 |
DLL | Import |
---|---|
KERNEL32.dll | ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-01-11T01:15:33.617639+0100 | 2803270 | ETPRO MALWARE Common Downloader Header Pattern UHCa | 2 | 192.168.2.10 | 49708 | 142.250.181.238 | 443 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 11, 2025 01:15:32.467848063 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:32.467906952 CET | 443 | 49708 | 142.250.181.238 | 192.168.2.10 |
Jan 11, 2025 01:15:32.468131065 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:32.556783915 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:32.556798935 CET | 443 | 49708 | 142.250.181.238 | 192.168.2.10 |
Jan 11, 2025 01:15:33.200089931 CET | 443 | 49708 | 142.250.181.238 | 192.168.2.10 |
Jan 11, 2025 01:15:33.200159073 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:33.201005936 CET | 443 | 49708 | 142.250.181.238 | 192.168.2.10 |
Jan 11, 2025 01:15:33.201060057 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:33.309113979 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:33.309132099 CET | 443 | 49708 | 142.250.181.238 | 192.168.2.10 |
Jan 11, 2025 01:15:33.309603930 CET | 443 | 49708 | 142.250.181.238 | 192.168.2.10 |
Jan 11, 2025 01:15:33.309652090 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:33.314172983 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:33.355326891 CET | 443 | 49708 | 142.250.181.238 | 192.168.2.10 |
Jan 11, 2025 01:15:33.617616892 CET | 443 | 49708 | 142.250.181.238 | 192.168.2.10 |
Jan 11, 2025 01:15:33.617671013 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:33.617679119 CET | 443 | 49708 | 142.250.181.238 | 192.168.2.10 |
Jan 11, 2025 01:15:33.617832899 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:33.617968082 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:33.617997885 CET | 443 | 49708 | 142.250.181.238 | 192.168.2.10 |
Jan 11, 2025 01:15:33.618068933 CET | 49708 | 443 | 192.168.2.10 | 142.250.181.238 |
Jan 11, 2025 01:15:33.648571968 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:33.648607016 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:33.648688078 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:33.649111986 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:33.649135113 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:34.294859886 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:34.294981003 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:34.300157070 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:34.300194025 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:34.300507069 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:34.300591946 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:34.369452000 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:34.415335894 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.871890068 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.872066975 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.877708912 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.877882957 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.890187979 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.890436888 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.890450001 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.890547991 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.896512032 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.896588087 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.960163116 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.960221052 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.960302114 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.960314989 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.960380077 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.960380077 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.961471081 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.961993933 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.961999893 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.963160038 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.975481033 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.975593090 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.975610018 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.975620985 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.975646973 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.975744009 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.975749016 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.975856066 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.979990005 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.980068922 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.980077028 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.980149984 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.986210108 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.986346006 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.986355066 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.986455917 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.992605925 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.993123055 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.993133068 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.993216038 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.998856068 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.999038935 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:36.999047041 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:36.999126911 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.005641937 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.006400108 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.006411076 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.006486893 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.010459900 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.010801077 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.010812998 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.010893106 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.016216993 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.016341925 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.016350985 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.016407013 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.032540083 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.032598019 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.032810926 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.032810926 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.032820940 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.033179045 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.050556898 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.050628901 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.050646067 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.050656080 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.050672054 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.050925016 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.050931931 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.050982952 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.050996065 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.051003933 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.051337957 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.051337957 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.051347017 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.051609039 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.054434061 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.054502010 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.054511070 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.054517984 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.054549932 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.054718971 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.060584068 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.060674906 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.060682058 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.060925007 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.065463066 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.065712929 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.065721035 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.066783905 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.070652962 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.070712090 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.070719957 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.070768118 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.074042082 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.074255943 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.074263096 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.075320959 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.078949928 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.079008102 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.079015017 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.079061985 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.087824106 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.088015079 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.088032007 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.088044882 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.088057041 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.088092089 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.088109970 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.092675924 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.092725039 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.092732906 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.092957020 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.097564936 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.097631931 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.097645998 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.097728014 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.102333069 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.103333950 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.103341103 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.104690075 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.106204033 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.106260061 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.106395960 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.106820107 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.110456944 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.110511065 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.110538960 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.110546112 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.110583067 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.110601902 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.110639095 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.110687971 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.110760927 CET | 443 | 49709 | 172.217.16.193 | 192.168.2.10 |
Jan 11, 2025 01:15:37.110780001 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.110816956 CET | 49709 | 443 | 192.168.2.10 | 172.217.16.193 |
Jan 11, 2025 01:15:37.728749037 CET | 49710 | 80 | 192.168.2.10 | 193.122.130.0 |
Jan 11, 2025 01:15:37.733691931 CET | 80 | 49710 | 193.122.130.0 | 192.168.2.10 |
Jan 11, 2025 01:15:37.734148026 CET | 49710 | 80 | 192.168.2.10 | 193.122.130.0 |
Jan 11, 2025 01:15:37.734148026 CET | 49710 | 80 | 192.168.2.10 | 193.122.130.0 |
Jan 11, 2025 01:15:37.739130974 CET | 80 | 49710 | 193.122.130.0 | 192.168.2.10 |
Jan 11, 2025 01:15:41.206324100 CET | 80 | 49710 | 193.122.130.0 | 192.168.2.10 |
Jan 11, 2025 01:15:41.255081892 CET | 49710 | 80 | 192.168.2.10 | 193.122.130.0 |
Jan 11, 2025 01:16:04.824492931 CET | 49710 | 80 | 192.168.2.10 | 193.122.130.0 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 11, 2025 01:15:32.456149101 CET | 61161 | 53 | 192.168.2.10 | 1.1.1.1 |
Jan 11, 2025 01:15:32.463021040 CET | 53 | 61161 | 1.1.1.1 | 192.168.2.10 |
Jan 11, 2025 01:15:33.639823914 CET | 52050 | 53 | 192.168.2.10 | 1.1.1.1 |
Jan 11, 2025 01:15:33.647726059 CET | 53 | 52050 | 1.1.1.1 | 192.168.2.10 |
Jan 11, 2025 01:15:37.717549086 CET | 52961 | 53 | 192.168.2.10 | 1.1.1.1 |
Jan 11, 2025 01:15:37.724399090 CET | 53 | 52961 | 1.1.1.1 | 192.168.2.10 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jan 11, 2025 01:15:32.456149101 CET | 192.168.2.10 | 1.1.1.1 | 0x8365 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jan 11, 2025 01:15:33.639823914 CET | 192.168.2.10 | 1.1.1.1 | 0x47f0 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jan 11, 2025 01:15:37.717549086 CET | 192.168.2.10 | 1.1.1.1 | 0xe616 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jan 11, 2025 01:15:32.463021040 CET | 1.1.1.1 | 192.168.2.10 | 0x8365 | No error (0) | 142.250.181.238 | A (IP address) | IN (0x0001) | false | ||
Jan 11, 2025 01:15:33.647726059 CET | 1.1.1.1 | 192.168.2.10 | 0x47f0 | No error (0) | 172.217.16.193 | A (IP address) | IN (0x0001) | false | ||
Jan 11, 2025 01:15:37.724399090 CET | 1.1.1.1 | 192.168.2.10 | 0xe616 | No error (0) | checkip.dyndns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Jan 11, 2025 01:15:37.724399090 CET | 1.1.1.1 | 192.168.2.10 | 0xe616 | No error (0) | 193.122.130.0 | A (IP address) | IN (0x0001) | false | ||
Jan 11, 2025 01:15:37.724399090 CET | 1.1.1.1 | 192.168.2.10 | 0xe616 | No error (0) | 132.226.247.73 | A (IP address) | IN (0x0001) | false | ||
Jan 11, 2025 01:15:37.724399090 CET | 1.1.1.1 | 192.168.2.10 | 0xe616 | No error (0) | 158.101.44.242 | A (IP address) | IN (0x0001) | false | ||
Jan 11, 2025 01:15:37.724399090 CET | 1.1.1.1 | 192.168.2.10 | 0xe616 | No error (0) | 132.226.8.169 | A (IP address) | IN (0x0001) | false | ||
Jan 11, 2025 01:15:37.724399090 CET | 1.1.1.1 | 192.168.2.10 | 0xe616 | No error (0) | 193.122.6.168 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.10 | 49710 | 193.122.130.0 | 80 | 4216 | C:\Users\user\Desktop\4AMVusDMPP.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Jan 11, 2025 01:15:37.734148026 CET | 151 | OUT | |
Jan 11, 2025 01:15:41.206324100 CET | 745 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.10 | 49708 | 142.250.181.238 | 443 | 4216 | C:\Users\user\Desktop\4AMVusDMPP.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-11 00:15:33 UTC | 216 | OUT | |
2025-01-11 00:15:33 UTC | 1920 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.10 | 49709 | 172.217.16.193 | 443 | 4216 | C:\Users\user\Desktop\4AMVusDMPP.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-01-11 00:15:34 UTC | 258 | OUT | |
2025-01-11 00:15:36 UTC | 4952 | IN | |
2025-01-11 00:15:36 UTC | 4952 | IN | |
2025-01-11 00:15:36 UTC | 4793 | IN | |
2025-01-11 00:15:36 UTC | 1325 | IN | |
2025-01-11 00:15:36 UTC | 1390 | IN | |
2025-01-11 00:15:36 UTC | 1390 | IN | |
2025-01-11 00:15:36 UTC | 1390 | IN | |
2025-01-11 00:15:36 UTC | 1390 | IN | |
2025-01-11 00:15:36 UTC | 1390 | IN | |
2025-01-11 00:15:36 UTC | 1390 | IN | |
2025-01-11 00:15:36 UTC | 1390 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 19:14:54 |
Start date: | 10/01/2025 |
Path: | C:\Users\user\Desktop\4AMVusDMPP.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 997'399 bytes |
MD5 hash: | ED6F1C14E085E4FBC7C47F894F2140B9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 19:15:23 |
Start date: | 10/01/2025 |
Path: | C:\Users\user\Desktop\4AMVusDMPP.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 997'399 bytes |
MD5 hash: | ED6F1C14E085E4FBC7C47F894F2140B9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 7 |
Start time: | 19:15:41 |
Start date: | 10/01/2025 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3f0000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 20% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 19.9% |
Total number of Nodes: | 1570 |
Total number of Limit Nodes: | 39 |
Graph
Function 004034A5 Relevance: 80.9, APIs: 32, Strings: 14, Instructions: 410stringfilecomCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405AFA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403AD8 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402F30 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 203memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004032DE Relevance: 4.6, APIs: 3, Instructions: 101COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6EAB2AAC Relevance: 1.6, APIs: 1, Instructions: 143COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6EAB2993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6EAB121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404850 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6EAB1B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402104 Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6EAB2569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6EAB18D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6EAB2394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6EAB161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 6EAB10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00162DD1 Relevance: 2.9, Strings: 2, Instructions: 432COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001619B8 Relevance: 5.8, Strings: 4, Instructions: 844COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00160B30 Relevance: 5.2, Strings: 4, Instructions: 200COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00162C78 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00161877 Relevance: .1, Instructions: 85COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001618C8 Relevance: .1, Instructions: 77COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0016324D Relevance: .1, Instructions: 68COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 001617B8 Relevance: .1, Instructions: 62COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00161888 Relevance: .0, Instructions: 19COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004034A5 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 410stringfilecomCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405AFA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00403AD8 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040451E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404850 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402F30 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040640A Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00161A40 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|