Edit tour
Windows
Analysis Report
25hBQ7XDkh.exe
Overview
General Information
| Sample Name: | 25hBQ7XDkh.exe |
| Analysis ID: | 563159 |
| MD5: | 669c9c7805726ead633b2539c0885ee9 |
| SHA1: | 744ecd691023e99f2391abe346efa243619b9add |
| SHA256: | 895be5d5816339f3f7100cfa36463d9652048babe690920fc195e4a39d7ab6c5 |
| Tags: | BitRATexe |
| Infos: |  |
 | |
Detection
BitRAT Xmrig
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Yara detected BitRAT
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Found API chain indicative of debugger detection
Machine Learning detection for sample
May check the online IP address of the machine
C2 URLs / IPs found in malware configuration
May use the Tor software to hide its network traffic
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Sleep loop found (likely to delay execution)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Installs a global mouse hook
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
25hBQ7XDkh.exe (PID: 796 cmdline: "C:\Users\ user\Deskt op\25hBQ7X Dkh.exe" MD5: 669C9C7805726EAD633B2539C0885EE9) - windowsconnect.exe (PID: 1364 cmdline:
"C:\Users\ user\AppDa ta\Local\e a242c1c\to r\windowsc onnect.exe " -f torrc MD5: 5CFE61FF895C7DAA889708665EF05D7B) - windowsconnect.exe (PID: 6892 cmdline:
"C:\Users\ user\AppDa ta\Local\e a242c1c\to r\windowsc onnect.exe " -f torrc MD5: 5CFE61FF895C7DAA889708665EF05D7B) - windowsconnect.exe (PID: 7072 cmdline:
"C:\Users\ user\AppDa ta\Local\e a242c1c\to r\windowsc onnect.exe " -f torrc MD5: 5CFE61FF895C7DAA889708665EF05D7B) - windowsconnect.exe (PID: 6152 cmdline:
"C:\Users\ user\AppDa ta\Local\e a242c1c\to r\windowsc onnect.exe " -f torrc MD5: 5CFE61FF895C7DAA889708665EF05D7B) - windowsconnect.exe (PID: 5504 cmdline:
"C:\Users\ user\AppDa ta\Local\e a242c1c\to r\windowsc onnect.exe " -f torrc MD5: 5CFE61FF895C7DAA889708665EF05D7B) - windowsconnect.exe (PID: 6432 cmdline:
"C:\Users\ user\AppDa ta\Local\e a242c1c\to r\windowsc onnect.exe " -f torrc MD5: 5CFE61FF895C7DAA889708665EF05D7B) - windowsconnect.exe (PID: 6304 cmdline:
"C:\Users\ user\AppDa ta\Local\e a242c1c\to r\windowsc onnect.exe " -f torrc MD5: 5CFE61FF895C7DAA889708665EF05D7B)
- cleanup
{"Host": "coows4drmxtsbjfj47tkoiguo2lzozkvw3sd47tcyv2zsgk6ysrcprid.onion", "Port": "0", "Tor Port": "80", "Install Dir": "0", "Install File": "0", "Communication Password": "87eb85e211d7780d996d77e12a0ba96d", "Tor Process Name": "windowsconnect"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
| MALWARE_Win_BitRAT | Detects BitRAT RAT | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
| MALWARE_Win_BitRAT | Detects BitRAT RAT | ditekSHen |
| |
| JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
| MALWARE_Win_BitRAT | Detects BitRAT RAT | ditekSHen |
|
⊘No Sigma rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Binary or memory string: | ||
Bitcoin Miner | |
|---|
| Source: | File source: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
Networking | |
|---|
| Source: | DNS query: | ||
| Source: | URLs: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary or memory string: | ||
| Source: | Windows user hook set: | Jump to behavior | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 4_2_6DD68C00 | |
| Source: | Code function: | 12_2_6DE045C1 | |
| Source: | Code function: | 12_2_6DE00150 | |
| Source: | Code function: | 12_2_6DDFC8E7 | |
| Source: | Code function: | 12_2_6DDFFCE0 | |
| Source: | Code function: | 12_2_6DDFF4E0 | |
| Source: | Code function: | 12_2_6DE01CB0 | |
| Source: | Code function: | 12_2_6DDFD4A1 | |
| Source: | Code function: | 12_2_6DDF6870 | |
| Source: | Code function: | 12_2_6DE00C10 | |
| Source: | Code function: | 12_2_6DDFB420 | |
| Source: | Code function: | 12_2_6DDF6FC0 | |
| Source: | Code function: | 12_2_6DDFCBB3 | |
| Source: | Code function: | 12_2_6DDFFFA0 | |
| Source: | Code function: | 12_2_6DDF7F49 | |
| Source: | Code function: | 12_2_6DDFC740 | |
| Source: | Code function: | 12_2_6DDF6B60 | |
| Source: | Code function: | 12_2_6DDF9B06 | |
| Source: | Code function: | 12_2_6DDF72C0 | |
| Source: | Code function: | 12_2_6DDF7691 | |
| Source: | Code function: | 12_2_6DDFFA90 | |
| Source: | Code function: | 12_2_6DDFF280 | |
| Source: | Code function: | 12_2_6DDF96A0 | |
| Source: | Code function: | 12_2_6DDFB64C | |
| Source: | Code function: | 12_2_6DE00650 | |
| Source: | Code function: | 13_2_6D512152 | |
| Source: | Code function: | 13_2_6D511D43 | |
| Source: | Code function: | 13_2_6D511D30 | |
| Source: | Code function: | 13_2_6D51B9C8 | |
| Source: | Code function: | 13_2_6D51C75B | |
| Source: | Code function: | 13_2_6D512F73 | |
| Source: | Code function: | 13_2_6D51EB60 | |
| Source: | Code function: | 13_2_6D513A60 | |
| Source: | Code function: | 13_2_6D519680 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Virustotal: | ||
| Source: | Metadefender: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00687069 | |
| Source: | Code function: | 4_2_6DD65B48 | |
| Source: | Code function: | 4_2_6DD68A89 | |
| Source: | Code function: | 12_2_6DDF146F | |
| Source: | Code function: | 13_2_6D525252 | |
| Source: | Code function: | 13_2_6D52542F | |
| Source: | Code function: | 13_2_6D53139A | |
| Source: | Code function: | 13_2_6D525252 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 12_2_6DEF8CA0 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Binary or memory string: | ||
| Source: | Registry key monitored for changes: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Evasive API call chain: | graph_4-5151 | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | API coverage: | ||
| Source: | Binary or memory string: | ||
Anti Debugging | |
|---|
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Debugger detection routine: | graph_4-4898 | ||
| Source: | Code function: | 0_2_00690682 | |
| Source: | Code function: | 12_2_6DEF8CA0 | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 0_2_006A043C | |
| Source: | Code function: | 0_2_006863BA | |
| Source: | Code function: | 0_2_00690682 | |
| Source: | Code function: | 4_2_6DD64D60 | |
| Source: | Code function: | 4_2_6DD67E5C | |
| Source: | Code function: | 4_2_6DD67E60 | |
| Source: | Code function: | 4_2_6DD64E68 | |
| Source: | Code function: | 12_2_6DE0354C | |
| Source: | Code function: | 12_2_6DE03550 | |
| Source: | Code function: | 13_2_6D521F90 | |
| Source: | Code function: | 13_2_6D521F8C | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 12_2_6DDF18D0 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00687385 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 2 Command and Scripting Interpreter | Path Interception | 12 Process Injection | 1 Masquerading | 2 Input Capture | 1 System Time Discovery | Remote Services | 2 Input Capture | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | 2 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 22 Virtualization/Sandbox Evasion | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 11 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 12 Process Injection | Security Account Manager | 211 Security Software Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Multi-hop Proxy | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 11 Obfuscated Files or Information | NTDS | 22 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 11 Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Data Transfer Size Limits | 13 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | 1 Proxy | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 Remote System Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 1 System Network Configuration Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | 1 File and Directory Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
| Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | 23 System Information Discovery | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 67% | Virustotal | Browse | ||
| 51% | Metadefender | Browse | ||
| 72% | ReversingLabs | Win32.Trojan.Graftor | ||
| 100% | Avira | TR/Redcap.cskpb | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Redcap.cskpb | ||
| 0% | Metadefender | Browse | ||
| 4% | ReversingLabs | |||
| 3% | Metadefender | Browse | ||
| 7% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 4% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 7% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 3% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 4% | ReversingLabs |
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Redcap.cskpb | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Redcap.cskpb | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
| 100% | Avira | TR/Crypt.XPACK.Gen | Download File |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 4% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 3% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| myexternalip.com | 34.117.59.81 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 31.185.104.19 | unknown | Germany | 43847 | NBISERV-ASDE | false | |
| 81.7.16.182 | unknown | Germany | 35366 | ISPPRO-ASISPPRO-AScoversthenetworksofISPproDE | false | |
| 34.117.59.81 | myexternalip.com | United States | 139070 | GOOGLE-AS-APGoogleAsiaPacificPteLtdSG | false | |
| 5.45.111.149 | unknown | Germany | 197540 | NETCUP-ASnetcupGmbHDE | false | |
| 199.249.230.64 | unknown | United States | 62744 | QUINTEXUS | false | |
| 185.225.17.3 | unknown | Romania | 39798 | MIVOCLOUDMD | false | |
| 50.7.74.174 | unknown | United States | 174 | COGENT-174US | false | |
| 86.59.21.38 | unknown | Austria | 8437 | UTA-ASAT | false | |
| 199.249.230.83 | unknown | United States | 62744 | QUINTEXUS | false | |
| 50.7.74.170 | unknown | United States | 174 | COGENT-174US | false | |
| 178.33.183.251 | unknown | France | 16276 | OVHFR | false | |
| 185.13.39.197 | unknown | France | 197922 | FIRSTHEBERGFR | false | |
| 62.141.38.69 | unknown | Germany | 24961 | MYLOC-ASIPBackboneofmyLocmanagedITAGDE | false |
| IP |
|---|
| 127.0.0.1 |
| Joe Sandbox Version: | 34.0.0 Boulder Opal |
| Analysis ID: | 563159 |
| Start date: | 31.01.2022 |
| Start time: | 09:36:08 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 13m 22s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | 25hBQ7XDkh.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 22 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.evad.mine.winEXE@15/13@1/14 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 204.79.197.222
- Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fp.msedge.net, a-0019.a-msedge.net, store-images.s-microsoft.com, a-0019.standard.a-msedge.net, 1.perf.msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 09:37:17 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 31.185.104.19 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| myexternalip.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| NBISERV-ASDE | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\AppData\Local\ea242c1c\tor\windowsconnect.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 232 |
| Entropy (8bit): | 4.868045123356923 |
| Encrypted: | false |
| SSDEEP: | 6:SbdWwxXW8BnXr87+QVe2vwR/Ep5fM8IrQBP:bwxXWQXr87HVBvwNCCsV |
| MD5: | A770AA8146898CB10B06C4614E10CF3E |
| SHA1: | BC056412391A0BA876FA741D6588FAA81263FD2B |
| SHA-256: | 64F3F8F6D94D8DF4AAE12406274355CCEFC614FD0BB19F5042F0BEE7DA535C53 |
| SHA-512: | 01DEAF24895715C5286E7A3BBB376A313FCF340EEE964DA2F133DA95A44A58ADD50A4450973176F2EED4A4AAC51AE6FF249AE50A1A11B1E2D1BF5D986ECB0ED7 |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
| Process: | C:\Users\user\AppData\Local\ea242c1c\tor\windowsconnect.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 232 |
| Entropy (8bit): | 4.868045123356923 |
| Encrypted: | false |
| SSDEEP: | 6:SbdWwxXW8BnXr87+QVe2vwR/Ep5fM8IrQBP:bwxXWQXr87HVBvwNCCsV |
| MD5: | A770AA8146898CB10B06C4614E10CF3E |
| SHA1: | BC056412391A0BA876FA741D6588FAA81263FD2B |
| SHA-256: | 64F3F8F6D94D8DF4AAE12406274355CCEFC614FD0BB19F5042F0BEE7DA535C53 |
| SHA-512: | 01DEAF24895715C5286E7A3BBB376A313FCF340EEE964DA2F133DA95A44A58ADD50A4450973176F2EED4A4AAC51AE6FF249AE50A1A11B1E2D1BF5D986ECB0ED7 |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
| Process: | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1781914 |
| Entropy (8bit): | 7.158347735645916 |
| Encrypted: | false |
| SSDEEP: | 49152:uKyA6xLkn84KAFa0ROvosyG/iRO1CPwDv3uFZjhUg2EeJUO9WLQ0u:u86xwnhKAFhovosyo31CPwDv3uFZjhUh |
| MD5: | 2384A02C4A1F7EC481ADDE3A020607D3 |
| SHA1: | 7E848D35A10BF9296C8FA41956A3DAA777F86365 |
| SHA-256: | C8DB0FF0F7047ED91B057005E86AD3A23EAE616253313AA047C560D9EB398369 |
| SHA-512: | 1AC74DD2D863ACD7415EF8B9490A5342865462FBABDAD0645DA22424B0D56F5E9C389A3D7C41386F2414D6C4715C79A6DDECB6E6CFF29E98319E1FD1060F4503 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | unknown |
| Preview: |
| Process: | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 375453 |
| Entropy (8bit): | 6.942455142300998 |
| Encrypted: | false |
| SSDEEP: | 6144:7+wL9BBhoJgaEr2Y8SIe3V8JNkN7hOXsgZzKm:7z9vwhErYaVeNkN70cgwm |
| MD5: | 099983C13BADE9554A3C17484E5481F1 |
| SHA1: | A84E69AD9722F999252D59D0ED9A99901A60E564 |
| SHA-256: | B65F9AA0C7912AF64BD9B05E9322E994339A11B0C8907E6A6166D7B814BDA838 |
| SHA-512: | 89F1A963DE77873296395662D4150E3EFF7A2D297FB9EC54EC06AA2E40D41E5F4FC4611E9BC34126D760C9134F2907FEA3BEBDF2FBBD7EADDAD99F8E4BE1F5E2 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | unknown |
| Preview: |
| Process: | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 292880 |
| Entropy (8bit): | 7.08760501332915 |
| Encrypted: | false |
| SSDEEP: | 6144:1Tlx3jVbWfC7HVtQKCuxvYPRqAxDIoTS2:1Tb3jVb4fuJCz3 |
| MD5: | B0D98F7157D972190FE0759D4368D320 |
| SHA1: | 5715A533621A2B642AAD9616E603C6907D80EFC4 |
| SHA-256: | 2922193133DABAB5B82088D4E87484E2FAC75E9E0C765DACAF22EB5F4F18B0C5 |
| SHA-512: | 41CE56C428158533BF8B8FFE0A71875B5A3ABC549B88D7D3E69ACC6080653ABEA344D6D66FFF39C04BF019FCAA295768D620377D85A933DDAF17F3D90DF29496 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | unknown |
| Preview: |
| Process: | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 450373 |
| Entropy (8bit): | 6.9077953346074 |
| Encrypted: | false |
| SSDEEP: | 12288:15D04uko/Sxg3MWFccpVpfVmy3ocIdNyxtw3iFFrS6XL:8fkeh33FccpVp9jxtw3iFFrS6XL |
| MD5: | C88826AC4BB879622E43EAD5BDB95AEB |
| SHA1: | 87D29853649A86F0463BFD9AD887B85EEDC21723 |
| SHA-256: | C4D898B1A4285A45153AF9ED88D79AA2A073DCB7225961B6B276B532B4D18B6F |
| SHA-512: | F733041EF35B9B8058FBCF98FAA0D1FEA5C0858FEA941ECEBBE9F083CD73E3E66323AFFFD8D734097FCDD5E6E59DB4D94F51FCA5874EDBCD2A382D9BA6CD97B3 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | unknown |
| Preview: |
| Process: | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 90333 |
| Entropy (8bit): | 6.919951469409257 |
| Encrypted: | false |
| SSDEEP: | 1536:5lZ0qS+fl4CFzLCNfcnleimT+RqMGAI1SWA8yCM0NX2wu:5lzbfpChcPEM8e8yCDX2N |
| MD5: | 2C916456F503075F746C6EA649CF9539 |
| SHA1: | FA1AFC1F3D728C89B2E90E14CA7D88B599580A9D |
| SHA-256: | CBB5236D923D4F4BAF2F0D2797C72A2CBAE42EF7AC0ACCE786DAF5FDC5B456E6 |
| SHA-512: | 1C1995E1AA7C33C597C64122395275861D9219E46D45277D4F1768A2E06227B353D5D77D6B7CB655082DC6FB9736AD6F7CFCC0C90E02776E27D50857E792E3FD |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | unknown |
| Preview: |
| Process: | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 192765 |
| Entropy (8bit): | 7.258269000752376 |
| Encrypted: | false |
| SSDEEP: | 3072:Vb2IhqYh6ZwXqIXsJHAFXkwbtotutg+UISEyZ0ENrbhESggAEim3YnsVwTivFo:3iIqI+HAvbtjtplhyT41Kim3Y0wTivFo |
| MD5: | D407CC6D79A08039A6F4B50539E560B8 |
| SHA1: | 21171ADBC176DC19AAA5E595CD2CD4BD1DFD0C71 |
| SHA-256: | 92CFD0277C8781A15A0F17B7AEE6CFF69631B9606A001101631F04B3381EFC4E |
| SHA-512: | 378A10FED915591445D97C6D04E82D28008D8EA65E0E40C142B8EE59867035D561D4E103495C8F0D9C19B51597706CE0B450C25516AA0F1744579FFCD097AE0C |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | unknown |
| Preview: |
| Process: | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 139 |
| Entropy (8bit): | 4.932519643489788 |
| Encrypted: | false |
| SSDEEP: | 3:0rMRxjOMtUuzaAvov+9RwWZCvqRq+uyhERRAiIDt+kiE2J5A+RXG8sREn:CMRIM/aQovqRZCvq3cAiIwkn23AuXSin |
| MD5: | B85568034F04FA0E29B8FC8BAE09F046 |
| SHA1: | 4C8D8C2F810C53DEEF72D15967CFA95C715F4BAD |
| SHA-256: | 64F82E962E15F3C39A83B4B60FD03E7993134FFC58A1F91B740A2BBD4959A10D |
| SHA-512: | 231AE8245D92AA5EA598CEBC3D966B8F77237F4C729EE4A423BFCD7B67390920FB0635C74CC548626C38842A7FDC194FEF66BE501A4DB673B70EBBBE6A46D921 |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
| Process: | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 996352 |
| Entropy (8bit): | 7.912146678547723 |
| Encrypted: | false |
| SSDEEP: | 24576:V82yLnYQN5FlyjIJO1UPrb6uFeCyL145gYaw0ZfbFeRkCrqKEV5D:VvuYQNPlNJxOuF1730ZfbUkr |
| MD5: | 5CFE61FF895C7DAA889708665EF05D7B |
| SHA1: | 5E58EFE30406243FBD58D4968B0492DDEEF145F2 |
| SHA-256: | F9C1D18B50CE7484BF212CB61A9035602CFB90EBDFE66A077B9F6DF73196A9F5 |
| SHA-512: | 43B6F10391A863A21F70E05CEE41900729C7543750E118FF5D74C0CAC3D1383F10BCB73EADE2A28B555A393CADA4795E204246129B01AD9177D1167827DD68DA |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | unknown |
| Preview: |
| Process: | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 53760 |
| Entropy (8bit): | 7.819616972153237 |
| Encrypted: | false |
| SSDEEP: | 768:9dfKEwqfuHtTeSgJZ+d4BlJthH1zs4/rqjc8J7RvrAsUU05Yr7QHN1/poPU:9dCjqvZ+d4Vthx/2cA7RU1Vo2NBpwU |
| MD5: | ADD33041AF894B67FE34E1DC819B7EB6 |
| SHA1: | 6DB46EB021855A587C95479422ADCC774A272EEB |
| SHA-256: | 8688BD7CA55DCC0C23C429762776A0A43FE5B0332DFD5B79EF74E55D4BBC1183 |
| SHA-512: | BAFC441198D03F0E7FE804BAB89283C389D38884D0F87D81B11950A9B79FCBF7B32BE4BB16F4FCD9179B66F865C563C172A46B4514A6087EF0AF64425A4B2CFA |
| Malicious: | false |
| Reputation: | unknown |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.076024117926356 |
| TrID: |
|
| File name: | 25hBQ7XDkh.exe |
| File size: | 8151557 |
| MD5: | 669c9c7805726ead633b2539c0885ee9 |
| SHA1: | 744ecd691023e99f2391abe346efa243619b9add |
| SHA256: | 895be5d5816339f3f7100cfa36463d9652048babe690920fc195e4a39d7ab6c5 |
| SHA512: | 17353f5f6780d5d495a76c5532ebc3e96ff17c3ef0dcfe3a57576d1fc4875eb4d6801469d98e986ffdfdc6356f1f16ae0cfa8aaab3cd19c00a6b41fbd21e25d8 |
| SSDEEP: | 196608:3HyHu9V2LhRxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQUDxtw3iFFrS6XOfTV73s:3SO92RxwZ6v1CPwDv3uFteg2EeJUO9W/ |
| File Content Preview: | MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......................Jh......Jh..9...Jh......`T,.............i.......i.......i.......#.;.....#.:.....#. .....................#.%.... |
 | |
| Icon Hash: | 00828e8e8686b000 |
| Entrypoint: | 0x686058 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5FF88D11 [Fri Jan 8 16:49:21 2021 UTC] |
| TLS Callbacks: | 0x5ca200 |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 2b817dc1b1849c6a436f0647be7673e0 |
| Instruction |
|---|
| call 00007F485D34870Dh |
| jmp 00007F485D347273h |
| cmp ecx, dword ptr [00788BC8h] |
| jne 00007F485D3473E5h |
| ret |
| jmp 00007F485D347755h |
| jmp dword ptr [006DB3D8h] |
| mov ecx, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], ecx |
| pop ecx |
| pop edi |
| pop edi |
| pop esi |
| pop ebx |
| mov esp, ebp |
| pop ebp |
| push ecx |
| ret |
| mov ecx, dword ptr [ebp-10h] |
| xor ecx, ebp |
| call 00007F485D3473AFh |
| jmp 00007F485D3473C0h |
| mov ecx, dword ptr [ebp-14h] |
| xor ecx, ebp |
| call 00007F485D34739Eh |
| jmp 00007F485D3473AFh |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [00788BC8h] |
| xor eax, ebp |
| push eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| lea eax, dword ptr [esp+0Ch] |
| sub esp, dword ptr [esp+0Ch] |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [eax], ebp |
| mov ebp, eax |
| mov eax, dword ptr [00788BC8h] |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-10h], eax |
| push dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFFh |
| lea eax, dword ptr [ebp-0Ch] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| push eax |
| push dword ptr fs:[00000000h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x384530 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3a3000 | 0x409c28 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x3444cc | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x325120 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x382924 | 0x280 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2d96d4 | 0x2d9800 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rdata | 0x2db000 | 0xaabc2 | 0xaac00 | False | 0.409499965684 | data | 5.39131832102 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x386000 | 0x19c04 | 0x12200 | False | 0.134859913793 | data | 4.99173297126 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .gfids | 0x3a0000 | 0x11f8 | 0x1200 | False | 0.390190972222 | data | 4.14154064622 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .tls | 0x3a2000 | 0x9 | 0x200 | False | 0.033203125 | data | 0.0203931352361 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x3a3000 | 0x409c28 | 0x409e00 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x7ad000 | 0x244c4 | 0x24600 | False | 0.00112086554983 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_RCDATA | 0x3a31b0 | 0x1b309a | PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed | English | United States |
| RT_RCDATA | 0x556250 | 0x5ba9d | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed | English | United States |
| RT_RCDATA | 0x5b1cf0 | 0x47810 | PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed | English | United States |
| RT_RCDATA | 0x5f9500 | 0x6df45 | PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed | English | United States |
| RT_RCDATA | 0x667448 | 0x160dd | PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed | English | United States |
| RT_RCDATA | 0x67d528 | 0x2f0fd | PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed | English | United States |
| RT_RCDATA | 0x6ac628 | 0xf3400 | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed | English | United States |
| RT_RCDATA | 0x79fa28 | 0xd200 | PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed | English | United States |
| DLL | Import |
|---|---|
| KERNEL32.DLL | HeapFree, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, HeapSize, PostQueuedCompletionStatus, FormatMessageW, GetLastError, SetEvent, TlsAlloc, HeapReAlloc, CloseHandle, RaiseException, HeapAlloc, DecodePointer, HeapDestroy, LocalFree, DeleteCriticalSection, GetProcessHeap, WideCharToMultiByte, TlsFree, FormatMessageA, CreateEventA, GetCurrentProcess, GetSystemTimes, GetTickCount64, GetProcessTimes, SetWaitableTimer, TlsSetValue, SetLastError, CreateWaitableTimerW, WaitForMultipleObjects, InitializeCriticalSectionAndSpinCount, GetQueuedCompletionStatus, WaitForSingleObject, GetModuleHandleA, CreateEventW, MultiByteToWideChar, TerminateThread, QueueUserAPC, GetProcAddress, VerSetConditionMask, SleepEx, VerifyVersionInfoW, TlsGetValue, GetSystemTimeAsFileTime, CreateIoCompletionPort, CreateDirectoryW, ReadFile, SizeofResource, QueryDosDeviceW, GetVolumeInformationW, FindFirstFileW, WriteProcessMemory, FindFirstFileExW, SetPriorityClass, VirtualFree, GetFullPathNameW, FindNextFileW, lstrlenW, WriteFile, Wow64DisableWow64FsRedirection, GetSystemDefaultUILanguage, GetDiskFreeSpaceW, VirtualAlloc, TerminateProcess, GetDriveTypeA, GetModuleFileNameW, GetUserDefaultLocaleName, GetProcessId, K32GetModuleFileNameExW, GetProductInfo, Thread32Next, GetTempPathW, CreateMutexW, Thread32First, FindClose, GetLocaleInfoW, CreateFileW, GetFileAttributesW, GetCurrentThreadId, GetVersionExW, K32GetProcessImageFileNameW, SuspendThread, GetSystemDirectoryW, ResumeThread, lstrcatA, OpenProcess, SetFileAttributesW, GetLogicalDriveStringsW, CreateToolhelp32Snapshot, Sleep, CopyFileA, Process32NextW, K32GetProcessMemoryInfo, CreateFileA, GetCurrentThread, LoadLibraryA, LockResource, GlobalAlloc, Process32FirstW, GlobalFree, GetNativeSystemInfo, GetSystemInfo, LoadLibraryW, FindResourceExW, LoadResource, FindResourceW, SetFileAttributesA, GetThreadContext, GetPriorityClass, GlobalLock, VirtualAllocEx, MoveFileExW, GetFileSize, ExitProcess, ReadProcessMemory, GetComputerNameW, FindFirstStreamW, GetCurrentProcessId, SystemTimeToFileTime, GlobalMemoryStatusEx, CreateProcessW, GetModuleHandleW, WinExec, CreateRemoteThread, QueryFullProcessImageNameW, CreateProcessA, DebugBreak, SetThreadContext, FindNextStreamW, GetTickCount, GlobalUnlock, GetDriveTypeW, GetFileTime, OpenThread, GetExitCodeProcess, Beep, CreatePipe, PeekNamedPipe, GetStartupInfoA, lstrcpyA, CreateThread, CreateTimerQueueTimer, VirtualProtect, GetCommandLineW, DeviceIoControl, GetEnvironmentVariableW, GetExitCodeThread, FreeLibrary, IsDebuggerPresent, CreateTimerQueue, EncodePointer, TryEnterCriticalSection, DuplicateHandle, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, GetFileAttributesExW, GetFileInformationByHandle, SetEndOfFile, SetFilePointerEx, AreFileApisANSI, GetStringTypeW, GetCPInfo, CompareStringW, LCMapStringW, OutputDebugStringW, InitializeCriticalSection, GetSystemDirectoryA, VerifyVersionInfoA, ExpandEnvironmentStringsA, GetStdHandle, GetFileType, ResetEvent, ReleaseSemaphore, OpenEventA, GetLogicalProcessorInformation, GetCurrentDirectoryW, DeleteFileW, RemoveDirectoryW, CreateDirectoryExW, GetFileSizeEx, SwitchToFiber, DeleteFiber, CreateFiber, ConvertFiberToThread, ConvertThreadToFiber, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, GetSystemTime, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, RegisterWaitForSingleObject, GetThreadTimes, FreeLibraryAndExitThread, LoadLibraryExW, SignalObjectAndWait, SwitchToThread, SetThreadPriority, GetThreadPriority, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, UnregisterWait, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetStartupInfoW, RtlUnwind, SetConsoleCtrlHandler, ExitThread, GetModuleHandleExW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetModuleFileNameA, WriteConsoleW, SetEnvironmentVariableA, GetACP, GetConsoleCP, GetDateFormatW, GetTimeFormatW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, SetStdHandle, GetTimeZoneInformation, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, VirtualQuery, LoadLibraryExA |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 31, 2022 09:37:14.837025881 CET | 49761 | 443 | 192.168.2.4 | 199.249.230.64 |
| Jan 31, 2022 09:37:14.837090015 CET | 443 | 49761 | 199.249.230.64 | 192.168.2.4 |
| Jan 31, 2022 09:37:14.837186098 CET | 49761 | 443 | 192.168.2.4 | 199.249.230.64 |
| Jan 31, 2022 09:37:14.872176886 CET | 49761 | 443 | 192.168.2.4 | 199.249.230.64 |
| Jan 31, 2022 09:37:14.872224092 CET | 443 | 49761 | 199.249.230.64 | 192.168.2.4 |
| Jan 31, 2022 09:37:15.415211916 CET | 443 | 49761 | 199.249.230.64 | 192.168.2.4 |
| Jan 31, 2022 09:37:15.415359020 CET | 49761 | 443 | 192.168.2.4 | 199.249.230.64 |
| Jan 31, 2022 09:37:15.418318033 CET | 49761 | 443 | 192.168.2.4 | 199.249.230.64 |
| Jan 31, 2022 09:37:15.418328047 CET | 443 | 49761 | 199.249.230.64 | 192.168.2.4 |
| Jan 31, 2022 09:37:15.418452024 CET | 443 | 49761 | 199.249.230.64 | 192.168.2.4 |
| Jan 31, 2022 09:37:15.419097900 CET | 49761 | 443 | 192.168.2.4 | 199.249.230.64 |
| Jan 31, 2022 09:37:15.419111967 CET | 443 | 49761 | 199.249.230.64 | 192.168.2.4 |
| Jan 31, 2022 09:37:15.535969973 CET | 49761 | 443 | 192.168.2.4 | 199.249.230.64 |
| Jan 31, 2022 09:37:15.849636078 CET | 49762 | 443 | 192.168.2.4 | 62.141.38.69 |
| Jan 31, 2022 09:37:15.849683046 CET | 443 | 49762 | 62.141.38.69 | 192.168.2.4 |
| Jan 31, 2022 09:37:15.849761963 CET | 49762 | 443 | 192.168.2.4 | 62.141.38.69 |
| Jan 31, 2022 09:37:15.852082014 CET | 49762 | 443 | 192.168.2.4 | 62.141.38.69 |
| Jan 31, 2022 09:37:15.852097034 CET | 443 | 49762 | 62.141.38.69 | 192.168.2.4 |
| Jan 31, 2022 09:37:15.950691938 CET | 443 | 49762 | 62.141.38.69 | 192.168.2.4 |
| Jan 31, 2022 09:37:15.950779915 CET | 443 | 49762 | 62.141.38.69 | 192.168.2.4 |
| Jan 31, 2022 09:37:15.950834990 CET | 49762 | 443 | 192.168.2.4 | 62.141.38.69 |
| Jan 31, 2022 09:37:15.950949907 CET | 49762 | 443 | 192.168.2.4 | 62.141.38.69 |
| Jan 31, 2022 09:37:17.866297960 CET | 49763 | 443 | 192.168.2.4 | 185.225.17.3 |
| Jan 31, 2022 09:37:17.866348982 CET | 443 | 49763 | 185.225.17.3 | 192.168.2.4 |
| Jan 31, 2022 09:37:17.866440058 CET | 49763 | 443 | 192.168.2.4 | 185.225.17.3 |
| Jan 31, 2022 09:37:17.881438971 CET | 49763 | 443 | 192.168.2.4 | 185.225.17.3 |
| Jan 31, 2022 09:37:17.881465912 CET | 443 | 49763 | 185.225.17.3 | 192.168.2.4 |
| Jan 31, 2022 09:37:20.066009998 CET | 49765 | 443 | 192.168.2.4 | 50.7.74.170 |
| Jan 31, 2022 09:37:20.066054106 CET | 443 | 49765 | 50.7.74.170 | 192.168.2.4 |
| Jan 31, 2022 09:37:20.066153049 CET | 49765 | 443 | 192.168.2.4 | 50.7.74.170 |
| Jan 31, 2022 09:37:20.067132950 CET | 49765 | 443 | 192.168.2.4 | 50.7.74.170 |
| Jan 31, 2022 09:37:20.067148924 CET | 443 | 49765 | 50.7.74.170 | 192.168.2.4 |
| Jan 31, 2022 09:38:04.023655891 CET | 49761 | 443 | 192.168.2.4 | 199.249.230.64 |
| Jan 31, 2022 09:38:04.023854017 CET | 49765 | 443 | 192.168.2.4 | 50.7.74.170 |
| Jan 31, 2022 09:38:04.023854971 CET | 49763 | 443 | 192.168.2.4 | 185.225.17.3 |
| Jan 31, 2022 09:38:08.892594099 CET | 49796 | 443 | 192.168.2.4 | 34.117.59.81 |
| Jan 31, 2022 09:38:08.892648935 CET | 443 | 49796 | 34.117.59.81 | 192.168.2.4 |
| Jan 31, 2022 09:38:08.892748117 CET | 49796 | 443 | 192.168.2.4 | 34.117.59.81 |
| Jan 31, 2022 09:38:09.096311092 CET | 49796 | 443 | 192.168.2.4 | 34.117.59.81 |
| Jan 31, 2022 09:38:09.096330881 CET | 443 | 49796 | 34.117.59.81 | 192.168.2.4 |
| Jan 31, 2022 09:38:09.140306950 CET | 443 | 49796 | 34.117.59.81 | 192.168.2.4 |
| Jan 31, 2022 09:38:09.140383959 CET | 49796 | 443 | 192.168.2.4 | 34.117.59.81 |
| Jan 31, 2022 09:38:09.355667114 CET | 49796 | 443 | 192.168.2.4 | 34.117.59.81 |
| Jan 31, 2022 09:38:09.355703115 CET | 443 | 49796 | 34.117.59.81 | 192.168.2.4 |
| Jan 31, 2022 09:38:09.355927944 CET | 443 | 49796 | 34.117.59.81 | 192.168.2.4 |
| Jan 31, 2022 09:38:09.355995893 CET | 49796 | 443 | 192.168.2.4 | 34.117.59.81 |
| Jan 31, 2022 09:38:09.359544039 CET | 49796 | 443 | 192.168.2.4 | 34.117.59.81 |
| Jan 31, 2022 09:38:09.401870966 CET | 443 | 49796 | 34.117.59.81 | 192.168.2.4 |
| Jan 31, 2022 09:38:09.488527060 CET | 443 | 49796 | 34.117.59.81 | 192.168.2.4 |
| Jan 31, 2022 09:38:09.488579988 CET | 443 | 49796 | 34.117.59.81 | 192.168.2.4 |
| Jan 31, 2022 09:38:09.488601923 CET | 49796 | 443 | 192.168.2.4 | 34.117.59.81 |
| Jan 31, 2022 09:38:09.488632917 CET | 49796 | 443 | 192.168.2.4 | 34.117.59.81 |
| Jan 31, 2022 09:38:09.489790916 CET | 49796 | 443 | 192.168.2.4 | 34.117.59.81 |
| Jan 31, 2022 09:38:09.489813089 CET | 443 | 49796 | 34.117.59.81 | 192.168.2.4 |
| Jan 31, 2022 09:38:13.897356033 CET | 49812 | 443 | 192.168.2.4 | 199.249.230.83 |
| Jan 31, 2022 09:38:13.897437096 CET | 443 | 49812 | 199.249.230.83 | 192.168.2.4 |
| Jan 31, 2022 09:38:13.897521019 CET | 49812 | 443 | 192.168.2.4 | 199.249.230.83 |
| Jan 31, 2022 09:38:13.930105925 CET | 49812 | 443 | 192.168.2.4 | 199.249.230.83 |
| Jan 31, 2022 09:38:13.930146933 CET | 443 | 49812 | 199.249.230.83 | 192.168.2.4 |
| Jan 31, 2022 09:38:14.026504993 CET | 49813 | 443 | 192.168.2.4 | 185.13.39.197 |
| Jan 31, 2022 09:38:14.026554108 CET | 443 | 49813 | 185.13.39.197 | 192.168.2.4 |
| Jan 31, 2022 09:38:14.026633024 CET | 49813 | 443 | 192.168.2.4 | 185.13.39.197 |
| Jan 31, 2022 09:38:14.028580904 CET | 49813 | 443 | 192.168.2.4 | 185.13.39.197 |
| Jan 31, 2022 09:38:14.028606892 CET | 443 | 49813 | 185.13.39.197 | 192.168.2.4 |
| Jan 31, 2022 09:38:14.058933973 CET | 443 | 49813 | 185.13.39.197 | 192.168.2.4 |
| Jan 31, 2022 09:38:14.483735085 CET | 443 | 49812 | 199.249.230.83 | 192.168.2.4 |
| Jan 31, 2022 09:38:14.483845949 CET | 49812 | 443 | 192.168.2.4 | 199.249.230.83 |
| Jan 31, 2022 09:38:14.486583948 CET | 49812 | 443 | 192.168.2.4 | 199.249.230.83 |
| Jan 31, 2022 09:38:14.486598969 CET | 443 | 49812 | 199.249.230.83 | 192.168.2.4 |
| Jan 31, 2022 09:38:14.486785889 CET | 443 | 49812 | 199.249.230.83 | 192.168.2.4 |
| Jan 31, 2022 09:38:14.541044950 CET | 49812 | 443 | 192.168.2.4 | 199.249.230.83 |
| Jan 31, 2022 09:38:14.541066885 CET | 443 | 49812 | 199.249.230.83 | 192.168.2.4 |
| Jan 31, 2022 09:38:14.588943005 CET | 49812 | 443 | 192.168.2.4 | 199.249.230.83 |
| Jan 31, 2022 09:38:14.633866072 CET | 443 | 49812 | 199.249.230.83 | 192.168.2.4 |
| Jan 31, 2022 09:38:16.193941116 CET | 49815 | 443 | 192.168.2.4 | 81.7.16.182 |
| Jan 31, 2022 09:38:16.194005966 CET | 443 | 49815 | 81.7.16.182 | 192.168.2.4 |
| Jan 31, 2022 09:38:16.194153070 CET | 49815 | 443 | 192.168.2.4 | 81.7.16.182 |
| Jan 31, 2022 09:38:16.213618040 CET | 49815 | 443 | 192.168.2.4 | 81.7.16.182 |
| Jan 31, 2022 09:38:16.213661909 CET | 443 | 49815 | 81.7.16.182 | 192.168.2.4 |
| Jan 31, 2022 09:38:16.502630949 CET | 443 | 49815 | 81.7.16.182 | 192.168.2.4 |
| Jan 31, 2022 09:38:16.502728939 CET | 49815 | 443 | 192.168.2.4 | 81.7.16.182 |
| Jan 31, 2022 09:38:16.505120039 CET | 49815 | 443 | 192.168.2.4 | 81.7.16.182 |
| Jan 31, 2022 09:38:16.505137920 CET | 443 | 49815 | 81.7.16.182 | 192.168.2.4 |
| Jan 31, 2022 09:38:16.505256891 CET | 443 | 49815 | 81.7.16.182 | 192.168.2.4 |
| Jan 31, 2022 09:38:16.505386114 CET | 49815 | 443 | 192.168.2.4 | 81.7.16.182 |
| Jan 31, 2022 09:38:16.545867920 CET | 443 | 49815 | 81.7.16.182 | 192.168.2.4 |
| Jan 31, 2022 09:38:16.709867954 CET | 443 | 49815 | 81.7.16.182 | 192.168.2.4 |
| Jan 31, 2022 09:38:16.712085009 CET | 49815 | 443 | 192.168.2.4 | 81.7.16.182 |
| Jan 31, 2022 09:38:18.784090996 CET | 49817 | 443 | 192.168.2.4 | 50.7.74.174 |
| Jan 31, 2022 09:38:18.784149885 CET | 443 | 49817 | 50.7.74.174 | 192.168.2.4 |
| Jan 31, 2022 09:38:18.784224987 CET | 49817 | 443 | 192.168.2.4 | 50.7.74.174 |
| Jan 31, 2022 09:38:18.854948044 CET | 49818 | 443 | 192.168.2.4 | 86.59.21.38 |
| Jan 31, 2022 09:38:18.855005026 CET | 443 | 49818 | 86.59.21.38 | 192.168.2.4 |
| Jan 31, 2022 09:38:18.855082035 CET | 49818 | 443 | 192.168.2.4 | 86.59.21.38 |
| Jan 31, 2022 09:38:18.856056929 CET | 49817 | 443 | 192.168.2.4 | 50.7.74.174 |
| Jan 31, 2022 09:38:18.856091976 CET | 443 | 49817 | 50.7.74.174 | 192.168.2.4 |
| Jan 31, 2022 09:38:18.856916904 CET | 49818 | 443 | 192.168.2.4 | 86.59.21.38 |
| Jan 31, 2022 09:38:18.856936932 CET | 443 | 49818 | 86.59.21.38 | 192.168.2.4 |
| Jan 31, 2022 09:38:18.943260908 CET | 443 | 49818 | 86.59.21.38 | 192.168.2.4 |
| Jan 31, 2022 09:38:18.943350077 CET | 49818 | 443 | 192.168.2.4 | 86.59.21.38 |
| Jan 31, 2022 09:38:18.945930958 CET | 49818 | 443 | 192.168.2.4 | 86.59.21.38 |
| Jan 31, 2022 09:38:18.945949078 CET | 443 | 49818 | 86.59.21.38 | 192.168.2.4 |
| Jan 31, 2022 09:38:18.946072102 CET | 443 | 49818 | 86.59.21.38 | 192.168.2.4 |
| Jan 31, 2022 09:38:18.946216106 CET | 49818 | 443 | 192.168.2.4 | 86.59.21.38 |
| Jan 31, 2022 09:38:18.946237087 CET | 443 | 49818 | 86.59.21.38 | 192.168.2.4 |
| Jan 31, 2022 09:38:19.041301012 CET | 49818 | 443 | 192.168.2.4 | 86.59.21.38 |
| Jan 31, 2022 09:38:40.708116055 CET | 49812 | 443 | 192.168.2.4 | 199.249.230.83 |
| Jan 31, 2022 09:38:40.708173037 CET | 49817 | 443 | 192.168.2.4 | 50.7.74.174 |
| Jan 31, 2022 09:38:40.708266020 CET | 49815 | 443 | 192.168.2.4 | 81.7.16.182 |
| Jan 31, 2022 09:38:40.708296061 CET | 49818 | 443 | 192.168.2.4 | 86.59.21.38 |
| Jan 31, 2022 09:38:46.464920044 CET | 49852 | 443 | 192.168.2.4 | 31.185.104.19 |
| Jan 31, 2022 09:38:46.465004921 CET | 443 | 49852 | 31.185.104.19 | 192.168.2.4 |
| Jan 31, 2022 09:38:46.465133905 CET | 49852 | 443 | 192.168.2.4 | 31.185.104.19 |
| Jan 31, 2022 09:38:46.500283957 CET | 49852 | 443 | 192.168.2.4 | 31.185.104.19 |
| Jan 31, 2022 09:38:46.500341892 CET | 443 | 49852 | 31.185.104.19 | 192.168.2.4 |
| Jan 31, 2022 09:38:47.328659058 CET | 49853 | 443 | 192.168.2.4 | 178.33.183.251 |
| Jan 31, 2022 09:38:47.328731060 CET | 443 | 49853 | 178.33.183.251 | 192.168.2.4 |
| Jan 31, 2022 09:38:47.328921080 CET | 49853 | 443 | 192.168.2.4 | 178.33.183.251 |
| Jan 31, 2022 09:38:47.332000971 CET | 49853 | 443 | 192.168.2.4 | 178.33.183.251 |
| Jan 31, 2022 09:38:47.332032919 CET | 443 | 49853 | 178.33.183.251 | 192.168.2.4 |
| Jan 31, 2022 09:38:47.431303978 CET | 443 | 49853 | 178.33.183.251 | 192.168.2.4 |
| Jan 31, 2022 09:38:47.431401968 CET | 49853 | 443 | 192.168.2.4 | 178.33.183.251 |
| Jan 31, 2022 09:38:47.434954882 CET | 49853 | 443 | 192.168.2.4 | 178.33.183.251 |
| Jan 31, 2022 09:38:47.434983015 CET | 443 | 49853 | 178.33.183.251 | 192.168.2.4 |
| Jan 31, 2022 09:38:47.435153961 CET | 443 | 49853 | 178.33.183.251 | 192.168.2.4 |
| Jan 31, 2022 09:38:47.435303926 CET | 49853 | 443 | 192.168.2.4 | 178.33.183.251 |
| Jan 31, 2022 09:38:47.477878094 CET | 443 | 49853 | 178.33.183.251 | 192.168.2.4 |
| Jan 31, 2022 09:38:47.481235027 CET | 49853 | 443 | 192.168.2.4 | 178.33.183.251 |
| Jan 31, 2022 09:38:47.481259108 CET | 443 | 49853 | 178.33.183.251 | 192.168.2.4 |
| Jan 31, 2022 09:38:47.528139114 CET | 49853 | 443 | 192.168.2.4 | 178.33.183.251 |
| Jan 31, 2022 09:38:49.357774973 CET | 49854 | 443 | 192.168.2.4 | 5.45.111.149 |
| Jan 31, 2022 09:38:49.357882023 CET | 443 | 49854 | 5.45.111.149 | 192.168.2.4 |
| Jan 31, 2022 09:38:49.357975960 CET | 49854 | 443 | 192.168.2.4 | 5.45.111.149 |
| Jan 31, 2022 09:38:49.372744083 CET | 49854 | 443 | 192.168.2.4 | 5.45.111.149 |
| Jan 31, 2022 09:38:49.372791052 CET | 443 | 49854 | 5.45.111.149 | 192.168.2.4 |
| Jan 31, 2022 09:38:49.465971947 CET | 443 | 49854 | 5.45.111.149 | 192.168.2.4 |
| Jan 31, 2022 09:38:49.466094971 CET | 49854 | 443 | 192.168.2.4 | 5.45.111.149 |
| Jan 31, 2022 09:38:49.468466997 CET | 49854 | 443 | 192.168.2.4 | 5.45.111.149 |
| Jan 31, 2022 09:38:49.468498945 CET | 443 | 49854 | 5.45.111.149 | 192.168.2.4 |
| Jan 31, 2022 09:38:49.468669891 CET | 443 | 49854 | 5.45.111.149 | 192.168.2.4 |
| Jan 31, 2022 09:38:49.468698025 CET | 49854 | 443 | 192.168.2.4 | 5.45.111.149 |
| Jan 31, 2022 09:38:49.509881973 CET | 443 | 49854 | 5.45.111.149 | 192.168.2.4 |
| Jan 31, 2022 09:38:49.512609959 CET | 49854 | 443 | 192.168.2.4 | 5.45.111.149 |
| Jan 31, 2022 09:38:49.512653112 CET | 443 | 49854 | 5.45.111.149 | 192.168.2.4 |
| Jan 31, 2022 09:38:49.559520006 CET | 49854 | 443 | 192.168.2.4 | 5.45.111.149 |
| Jan 31, 2022 09:39:07.760787964 CET | 49852 | 443 | 192.168.2.4 | 31.185.104.19 |
| Jan 31, 2022 09:39:07.760914087 CET | 49854 | 443 | 192.168.2.4 | 5.45.111.149 |
| Jan 31, 2022 09:39:07.760946989 CET | 49853 | 443 | 192.168.2.4 | 178.33.183.251 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jan 31, 2022 09:38:08.859209061 CET | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jan 31, 2022 09:38:08.878196001 CET | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Jan 31, 2022 09:38:08.859209061 CET | 192.168.2.4 | 8.8.8.8 | 0x8e42 | Standard query (0) | A (IP address) | IN (0x0001) |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Jan 31, 2022 09:37:22.876281023 CET | 8.8.8.8 | 192.168.2.4 | 0x52b2 | No error (0) | a-0019.standard.a-msedge.net | CNAME (Canonical name) | IN (0x0001) | ||
| Jan 31, 2022 09:38:08.878196001 CET | 8.8.8.8 | 192.168.2.4 | 0x8e42 | No error (0) | 34.117.59.81 | A (IP address) | IN (0x0001) |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49796 | 34.117.59.81 | 443 | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 62.141.38.69 | 443 | 192.168.2.4 | 49762 | C:\Users\user\AppData\Local\ea242c1c\tor\windowsconnect.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Jan 31, 2022 09:37:15.950691938 CET | 1194 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49796 | 34.117.59.81 | 443 | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| 2022-01-31 08:38:09 UTC | 0 | OUT | |
| 2022-01-31 08:38:09 UTC | 0 | IN | |
| 2022-01-31 08:38:09 UTC | 0 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 09:37:03 |
| Start date: | 31/01/2022 |
| Path: | C:\Users\user\Desktop\25hBQ7XDkh.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 8151557 bytes |
| MD5 hash: | 669C9C7805726EAD633B2539C0885EE9 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Target ID: | 4 |
| Start time: | 09:37:11 |
| Start date: | 31/01/2022 |
| Path: | C:\Users\user\AppData\Local\ea242c1c\tor\windowsconnect.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbd0000 |
| File size: | 996352 bytes |
| MD5 hash: | 5CFE61FF895C7DAA889708665EF05D7B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | moderate |
| Target ID: | 12 |
| Start time: | 09:38:01 |
| Start date: | 31/01/2022 |
| Path: | C:\Users\user\AppData\Local\ea242c1c\tor\windowsconnect.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbd0000 |
| File size: | 996352 bytes |
| MD5 hash: | 5CFE61FF895C7DAA889708665EF05D7B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 13 |
| Start time: | 09:38:10 |
| Start date: | 31/01/2022 |
| Path: | C:\Users\user\AppData\Local\ea242c1c\tor\windowsconnect.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbd0000 |
| File size: | 996352 bytes |
| MD5 hash: | 5CFE61FF895C7DAA889708665EF05D7B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 14 |
| Start time: | 09:38:11 |
| Start date: | 31/01/2022 |
| Path: | C:\Users\user\AppData\Local\ea242c1c\tor\windowsconnect.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbd0000 |
| File size: | 996352 bytes |
| MD5 hash: | 5CFE61FF895C7DAA889708665EF05D7B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 17 |
| Start time: | 09:38:38 |
| Start date: | 31/01/2022 |
| Path: | C:\Users\user\AppData\Local\ea242c1c\tor\windowsconnect.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbd0000 |
| File size: | 996352 bytes |
| MD5 hash: | 5CFE61FF895C7DAA889708665EF05D7B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 19 |
| Start time: | 09:38:43 |
| Start date: | 31/01/2022 |
| Path: | C:\Users\user\AppData\Local\ea242c1c\tor\windowsconnect.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbd0000 |
| File size: | 996352 bytes |
| MD5 hash: | 5CFE61FF895C7DAA889708665EF05D7B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 21 |
| Start time: | 09:39:05 |
| Start date: | 31/01/2022 |
| Path: | C:\Users\user\AppData\Local\ea242c1c\tor\windowsconnect.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xbd0000 |
| File size: | 996352 bytes |
| MD5 hash: | 5CFE61FF895C7DAA889708665EF05D7B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
Execution Graph
| Execution Coverage: | 12% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 4.8% |
| Total number of Nodes: | 394 |
| Total number of Limit Nodes: | 8 |
Graph
Function 006909DF Relevance: 7.6, APIs: 5, Instructions: 62threadCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 70% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 97% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0069092B Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 51% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0069C2D2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 95% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0069CC9E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 94% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 84% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006A4125 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 77% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 75% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006A047D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 37% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 81% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 006A6E9C Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 95% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 0.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 1799 |
| Total number of Limit Nodes: | 0 |
Graph
Function 6DD64D60 Relevance: 19.6, APIs: 13, Instructions: 130COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 31% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD64E68 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD67E60 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD67E5C Relevance: 7.5, APIs: 5, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD68C00 Relevance: .3, Instructions: 331COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD65CA0 Relevance: 24.1, APIs: 16, Instructions: 145COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD65AD0 Relevance: 19.6, APIs: 13, Instructions: 105COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 71% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD67FF0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 124filememoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 19% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 27% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD615B0 Relevance: 18.1, APIs: 12, Instructions: 94sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD61FA0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 25% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD62340 Relevance: 16.6, APIs: 11, Instructions: 127COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD66600 Relevance: 16.6, APIs: 11, Instructions: 101synchronizationCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 29% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD65130 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 49threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD66CA0 Relevance: 15.1, APIs: 10, Instructions: 58sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD656C0 Relevance: 13.6, APIs: 9, Instructions: 78COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD66780 Relevance: 13.6, APIs: 9, Instructions: 69COMMON
Download Yara Rule
| C-Code - Quality: 16% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD66B90 Relevance: 13.6, APIs: 9, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD64A20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73threadCOMMON
Download Yara Rule
| C-Code - Quality: 26% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD640A0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON
Download Yara Rule
| C-Code - Quality: 49% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD629D0 Relevance: 12.1, APIs: 8, Instructions: 99COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD64C60 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD65DF7 Relevance: 12.1, APIs: 8, Instructions: 53threadinjectionsynchronizationCOMMON
Download Yara Rule
| C-Code - Quality: 16% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD62397 Relevance: 12.1, APIs: 8, Instructions: 52COMMON
Download Yara Rule
| C-Code - Quality: 24% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD63100 Relevance: 10.6, APIs: 7, Instructions: 140COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD64650 Relevance: 10.6, APIs: 7, Instructions: 107COMMON
Download Yara Rule
| C-Code - Quality: 21% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD62883 Relevance: 10.6, APIs: 7, Instructions: 98COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD66EF0 Relevance: 10.6, APIs: 7, Instructions: 92COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD658B0 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD62AC1 Relevance: 10.6, APIs: 7, Instructions: 51COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD61B38 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD67600 Relevance: 10.5, APIs: 7, Instructions: 48COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD63870 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 43% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD65410 Relevance: 9.1, APIs: 6, Instructions: 110COMMON
Download Yara Rule
| C-Code - Quality: 37% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD61020 Relevance: 9.1, APIs: 6, Instructions: 108sleepCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 41% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD62760 Relevance: 9.1, APIs: 6, Instructions: 77COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD63B20 Relevance: 9.1, APIs: 6, Instructions: 77COMMON
Download Yara Rule
| C-Code - Quality: 55% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD61840 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD67110 Relevance: 9.1, APIs: 6, Instructions: 64COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD67040 Relevance: 9.1, APIs: 6, Instructions: 52COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD65C20 Relevance: 9.0, APIs: 6, Instructions: 35sleepCOMMON
Download Yara Rule
| C-Code - Quality: 79% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD62F90 Relevance: 7.6, APIs: 5, Instructions: 108threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD63F90 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
Download Yara Rule
| C-Code - Quality: 68% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD668A0 Relevance: 7.6, APIs: 5, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD61A20 Relevance: 7.6, APIs: 5, Instructions: 74COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD66DE0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD69470 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD64D88 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
Download Yara Rule
| C-Code - Quality: 83% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD64771 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
Download Yara Rule
| C-Code - Quality: 28% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD64CA7 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD66A90 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD64673 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
Download Yara Rule
| C-Code - Quality: 21% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD67260 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 27% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD67590 Relevance: 7.5, APIs: 5, Instructions: 32COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD67B40 Relevance: 6.1, APIs: 4, Instructions: 117timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD62620 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD624E0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD61CA0 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD63CC0 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD64149 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD62290 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD67A90 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD65590 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD63EE0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD65260 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD63D80 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD63C20 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD64E9B Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD679E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD66F71 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD648D0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD66E43 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD65D7C Relevance: 6.0, APIs: 4, Instructions: 40COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD68410 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD65660 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD63A60 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD63BD7 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DD651A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 0.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 100% |
| Total number of Nodes: | 8 |
| Total number of Limit Nodes: | 1 |
Graph
Function 6DEF8CA0 Relevance: 6.2, APIs: 4, Instructions: 200COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE01CB0 Relevance: 9.5, APIs: 6, Instructions: 470COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE03550 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE0354C Relevance: 7.5, APIs: 5, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DDF18D0 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE03220 Relevance: 21.2, APIs: 14, Instructions: 154COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE036E0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 124filememoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE02F50 Relevance: 15.2, APIs: 10, Instructions: 158COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DDF1790 Relevance: 15.1, APIs: 10, Instructions: 51COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DDF17B0 Relevance: 13.7, APIs: 9, Instructions: 160COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DDF1020 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DDF5CB8 Relevance: 12.2, APIs: 8, Instructions: 188COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DDF17E0 Relevance: 12.2, APIs: 8, Instructions: 157COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE02F8C Relevance: 12.1, APIs: 8, Instructions: 119COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DDF1810 Relevance: 10.7, APIs: 7, Instructions: 162COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DDF1860 Relevance: 9.2, APIs: 6, Instructions: 150COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE02500 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DDF1890 Relevance: 7.7, APIs: 5, Instructions: 155COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DDF6053 Relevance: 7.6, APIs: 5, Instructions: 117COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE041E0 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE01320 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE02630 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE02D70 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE03126 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE032A9 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE03B00 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6DE03266 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 0.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 8 |
| Total number of Limit Nodes: | 1 |
Graph
Function 6D531FC0 Relevance: 6.2, APIs: 4, Instructions: 201COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D521F90 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D521F8C Relevance: 7.5, APIs: 5, Instructions: 47COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D512900 Relevance: 20.0, APIs: 13, Instructions: 465COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D522120 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 124filememoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D518600 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D511020 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D517410 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 61stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D518800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D519400 Relevance: 10.6, APIs: 7, Instructions: 99COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D518430 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D519529 Relevance: 9.0, APIs: 6, Instructions: 32COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D51C414 Relevance: 7.8, APIs: 5, Instructions: 348COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D5125B0 Relevance: 7.8, APIs: 5, Instructions: 254COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D516580 Relevance: 7.7, APIs: 5, Instructions: 222COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D51E150 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D522CA0 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D51950C Relevance: 7.6, APIs: 5, Instructions: 55COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D517AD0 Relevance: 6.1, APIs: 4, Instructions: 126COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D5194A7 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D51954B Relevance: 6.0, APIs: 4, Instructions: 44COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D522540 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 6D51343C Relevance: 5.4, APIs: 4, Instructions: 430COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |