Windows
Analysis Report
Scanned_V11230111111PDF-clean.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- Scanned_V11230111111PDF-clean.exe (PID: 6128 cmdline:
C:\Users\u ser\Deskto p\Scanned_ V112301111 11PDF-clea n.exe MD5: F1550A3B28BC977E1453701DE0EFC02B) - RegAsm.exe (PID: 2400 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F) - cmd.exe (PID: 4192 cmdline:
cmd" /c mk dir "C:\Us ers\user\A ppData\Roa ming\msdtc MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 976 cmdline:
"cmd" /c s chtasks /c reate /sc minute /mo 1 /tn "Na fifas" /tr "'C:\User s\user\App Data\Roami ng\msdtc\m sdtc.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5304 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5252 cmdline:
schtasks / create /sc minute /m o 1 /tn "N afifas" /t r "'C:\Use rs\user\Ap pData\Roam ing\msdtc\ msdtc.exe' " /f MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 5308 cmdline:
cmd" /c co py "C:\Use rs\user\De sktop\Scan ned_V11230 111111PDF- clean.exe" "C:\Users \user\AppD ata\Roamin g\msdtc\ms dtc.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 1316 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- msdtc.exe (PID: 1128 cmdline:
C:\Users\u ser\AppDat a\Roaming\ msdtc\msdt c.exe MD5: F1550A3B28BC977E1453701DE0EFC02B) - RegAsm.exe (PID: 4608 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F) - cmd.exe (PID: 5140 cmdline:
cmd" /c mk dir "C:\Us ers\user\A ppData\Roa ming\msdtc MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 972 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6020 cmdline:
"cmd" /c s chtasks /c reate /sc minute /mo 1 /tn "Na fifas" /tr "'C:\User s\user\App Data\Roami ng\msdtc\m sdtc.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 1664 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5052 cmdline:
schtasks / create /sc minute /m o 1 /tn "N afifas" /t r "'C:\Use rs\user\Ap pData\Roam ing\msdtc\ msdtc.exe' " /f MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 2980 cmdline:
cmd" /c co py "C:\Use rs\user\Ap pData\Roam ing\msdtc\ msdtc.exe" "C:\Users \user\AppD ata\Roamin g\msdtc\ms dtc.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5096 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- msdtc.exe (PID: 4936 cmdline:
C:\Users\u ser\AppDat a\Roaming\ msdtc\msdt c.exe MD5: F1550A3B28BC977E1453701DE0EFC02B) - RegAsm.exe (PID: 3216 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F) - cmd.exe (PID: 5056 cmdline:
cmd" /c mk dir "C:\Us ers\user\A ppData\Roa ming\msdtc MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3616 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 6092 cmdline:
"cmd" /c s chtasks /c reate /sc minute /mo 1 /tn "Na fifas" /tr "'C:\User s\user\App Data\Roami ng\msdtc\m sdtc.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6060 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 4808 cmdline:
schtasks / create /sc minute /m o 1 /tn "N afifas" /t r "'C:\Use rs\user\Ap pData\Roam ing\msdtc\ msdtc.exe' " /f MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 6064 cmdline:
cmd" /c co py "C:\Use rs\user\Ap pData\Roam ing\msdtc\ msdtc.exe" "C:\Users \user\AppD ata\Roamin g\msdtc\ms dtc.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- msdtc.exe (PID: 5068 cmdline:
C:\Users\u ser\AppDat a\Roaming\ msdtc\msdt c.exe MD5: F1550A3B28BC977E1453701DE0EFC02B)
- cleanup
{"Server": "venom12345.duckdns.org,venomunverified.duckdns.org", "Ports": "4449", "Version": "5.0.5", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "13hY2L4QQkwZIszSJIRogZg0oshQmzWu", "Mutex": "Venom_RAT_HVNC_Mutex_Venom RAT_HVNC", "Certificate": "MIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPLknDSnzkq9SuHSkPVyOxBFVoX/n/Y/SNOD2TO9vxmiaLG1rfOcnt7KPbQA3CJxOmVjCVDvtURayayaErAu6R280hq1HgF3iL7u8+5R9XY6JvXkaiKj2rYiEVKKWU55xGCztKNQAfUY7prw8li8QJk+J8vzitqKS1zz7G2UcGx1AgMBAAGjMjAwMB0GA1UdDgQWBBSyJslOSHG/21uHIrLBFtFJb3nJHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAG/y6mnqPy3k1abtSAqAnm79siuBJ99b4uxdaTRVNIjATBtYUb3stSpQGefhnzNh4YS6w3SvTZk/BwuWyC0MKvHEbQhbk4JyoIcF4s2wzd5/mcTYK/kwPzAGUp+b93Fp38f3TRgFz+fWVZGheqUlWxzMzV1boXz2JX4pGQTypJBM", "ServerSignature": "NCg54PLd2n8AEDSHQSmNfMcGUM+NFZObzWko+AQswKpLMJ6ybKRb5J/+Cq0oCg903QfMlcKBN23ZkC2YZqHpY/w9FmT+MXpUrkZjZV9+O1vXR+LeUfqiH27cAqfZ+RK8uYYKf4G1fwan7KMM8u0MSEoMlv8ggcZoyyPmsFd4SMk=", "BDOS": "null", "Startup_Delay": "1", "Group": "Venom Clients"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
JoeSecurity_DcRat_2 | Yara detected DcRat | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Click to see the 14 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
|
Timestamp: | 185.216.71.4192.168.2.44449496932848152 10/14/22-20:02:21.540302 |
SID: | 2848152 |
Source Port: | 4449 |
Destination Port: | 49693 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 185.216.71.4192.168.2.44449496932850454 10/14/22-20:02:21.540302 |
SID: | 2850454 |
Source Port: | 4449 |
Destination Port: | 49693 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: | ||
Source: | URLs: |
Source: | DNS query: |
Source: | ASN Name: |
Source: | TCP traffic: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 1_2_00F2E8D0 | |
Source: | Code function: | 1_2_00F2ACC0 | |
Source: | Code function: | 1_2_00F29FE8 | |
Source: | Code function: | 1_2_00F22109 | |
Source: | Code function: | 1_2_00F21590 | |
Source: | Code function: | 1_2_00F21580 | |
Source: | Code function: | 1_2_00F29CA0 | |
Source: | Code function: | 10_2_02602109 | |
Source: | Code function: | 10_2_0260158F | |
Source: | Code function: | 10_2_02601590 | |
Source: | Code function: | 21_2_02532109 | |
Source: | Code function: | 21_2_02531590 | |
Source: | Code function: | 21_2_02531580 |
Source: | Code function: | 9_2_011E3C80 |
Source: | Code function: | 1_2_00F22560 | |
Source: | Code function: | 1_2_00F22109 | |
Source: | Code function: | 10_2_02602560 | |
Source: | Code function: | 10_2_02602109 | |
Source: | Code function: | 21_2_02532560 | |
Source: | Code function: | 21_2_02532109 |
Source: | Binary or memory string: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Static file information: | |||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 10_2_02602636 | |
Source: | Code function: | 10_2_0260143E | |
Source: | Code function: | 10_2_02601416 | |
Source: | Code function: | 10_2_026012B6 | |
Source: | Code function: | 10_2_02600576 | |
Source: | Code function: | 10_2_0260073E | |
Source: | Code function: | 10_2_026001CF | |
Source: | Code function: | 10_2_0260119E | |
Source: | Code function: | 10_2_026001AA |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Process created: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: | |||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: |
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: |
Source: | Key value queried: | Jump to behavior |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | WMI Queries: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 Valid Accounts | 1 Windows Management Instrumentation | 1 Valid Accounts | 1 Valid Accounts | 1 Masquerading | OS Credential Dumping | 121 Security Software Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 2 Scheduled Task/Job | 2 Scheduled Task/Job | 1 Access Token Manipulation | 1 Valid Accounts | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | 1 DLL Side-Loading | 312 Process Injection | 1 Access Token Manipulation | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | 2 Scheduled Task/Job | 1 Disable or Modify Tools | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | 21 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 312 Process Injection | Cached Domain Credentials | 13 System Information Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 12 Obfuscated Files or Information | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 2 Software Packing | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | 1 DLL Side-Loading | /etc/passwd and /etc/shadow | System Network Connections Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
35% | Virustotal | Browse | ||
100% | Avira | HEUR/AGEN.1235903 | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | HEUR/AGEN.1235903 | ||
100% | Joe Sandbox ML | |||
35% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1235903 | Download File | ||
100% | Avira | HEUR/AGEN.1202835 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
venom12345.duckdns.org | 185.216.71.4 | true | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.216.71.4 | venom12345.duckdns.org | Germany | 43659 | CLOUDCOMPUTINGDE | true |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 723559 |
Start date and time: | 2022-10-14 20:01:13 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 39s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Scanned_V11230111111PDF-clean.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 33 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@43/7@1/1 |
EGA Information: |
|
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
- Excluded IPs from analysis (whitelisted): 8.238.85.254
- Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
- Execution Graph export aborted for target Scanned_V11230111111PDF-clean.exe, PID 6128 because it is empty
- Execution Graph export aborted for target msdtc.exe, PID 5068 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
20:02:19 | Task Scheduler | |
20:02:22 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CLOUDCOMPUTINGDE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 62397 |
Entropy (8bit): | 7.995531606726499 |
Encrypted: | true |
SSDEEP: | 1536:6VT6EGIYmIA2VKd1ZepH+41ZnDVrFyv+7XAZa7pAn:A6JI5IjOcTZDGvYXAZhn |
MD5: | D15AAA7C9BE910A9898260767E2490E1 |
SHA1: | 2090C53F8D9FC3FBDBAFD3A1E4DC25520EB74388 |
SHA-256: | F8EBAAF487CBA0C81A17C8CD680BDD2DD8E90D2114ECC54844CFFC0CC647848E |
SHA-512: | 7E1C1A683914B961B5CC2FE5E4AE288B60BAB43BFAA21CE4972772AA0589615C19F57E672E1D93E50A7ED7B76FBD2F1B421089DCAED277120B93F8E91B18AF94 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Download File
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File Type: | |
Category: | modified |
Size (bytes): | 328 |
Entropy (8bit): | 3.171395630613584 |
Encrypted: | false |
SSDEEP: | 6:kKDzWEl6FvXiN+SkQlPlEGYRMY9z+4KlDA3RUe6l61:rzWE45XJkPlE99SNxAhUe6c1 |
MD5: | F04D40D674EA4F1240874D666ACED1C0 |
SHA1: | F4361CC1ECD1DB03826CE967F14F505529A7829E |
SHA-256: | 9FC483737D3147997EBC7F1BD6673616B65A92243849B7D5FD2FA04744D375B2 |
SHA-512: | EC1595658FACF5F69BD7638414799AA8FF17C8686AD362B8617B8B1E2FC255AECCA0BFDCF28819D57A434B1FF6C4F9D6281EAD76DF7377772214FC55A5C1E511 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 425 |
Entropy (8bit): | 5.340009400190196 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk |
MD5: | CC144808DBAF00E03294347EADC8E779 |
SHA1: | A3434FC71BA82B7512C813840427C687ADDB5AEA |
SHA-256: | 3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101 |
SHA-512: | A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scanned_V11230111111PDF-clean.exe.log
Download File
Process: | C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 425 |
Entropy (8bit): | 5.340009400190196 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk |
MD5: | CC144808DBAF00E03294347EADC8E779 |
SHA1: | A3434FC71BA82B7512C813840427C687ADDB5AEA |
SHA-256: | 3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101 |
SHA-512: | A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D |
Malicious: | true |
Preview: |
Process: | C:\Users\user\AppData\Roaming\msdtc\msdtc.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 425 |
Entropy (8bit): | 5.340009400190196 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk |
MD5: | CC144808DBAF00E03294347EADC8E779 |
SHA1: | A3434FC71BA82B7512C813840427C687ADDB5AEA |
SHA-256: | 3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101 |
SHA-512: | A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 281600 |
Entropy (8bit): | 5.674396618343541 |
Encrypted: | false |
SSDEEP: | 3072:GzeGuUytW+M1Qkh36d5cBWHc8iXcIQ8u7RTSDL+TyJiAdlkgSjOohYAj:GtzV+/iqXG0jisHTyndlLSnhYAj |
MD5: | F1550A3B28BC977E1453701DE0EFC02B |
SHA1: | AA131521288D9B613BA277A31F14F9E0318F36C3 |
SHA-256: | 68FA24F693D9B5955EB2A34A6FBBD3AC7B9E4E8EFA53B17B6A94DDD01BAAB2FE |
SHA-512: | DFD6678D68CA76DBF8D360E5EA9370552A1CAAEE210A60628B8EE7435B3CB70150243F88999FAC69D3130D94AEFFB70C75C1DAF93D15B0E0D3B05622616B4BB0 |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 5.674396618343541 |
TrID: |
|
File name: | Scanned_V11230111111PDF-clean.exe |
File size: | 281600 |
MD5: | f1550a3b28bc977e1453701de0efc02b |
SHA1: | aa131521288d9b613ba277a31f14f9e0318f36c3 |
SHA256: | 68fa24f693d9b5955eb2a34a6fbbd3ac7b9e4e8efa53b17b6a94ddd01baab2fe |
SHA512: | dfd6678d68ca76dbf8d360e5ea9370552a1caaee210a60628b8ee7435b3cb70150243f88999fac69d3130d94aeffb70c75c1daf93d15b0e0d3b05622616b4bb0 |
SSDEEP: | 3072:GzeGuUytW+M1Qkh36d5cBWHc8iXcIQ8u7RTSDL+TyJiAdlkgSjOohYAj:GtzV+/iqXG0jisHTyndlLSnhYAj |
TLSH: | 01546C067B808E27C4183738A8A38734233AED56FEB5C70FB698B6197FB27D549125C5 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.Ic.................`..........`.... ........@.. ....................................@................................ |
Icon Hash: | b46ee4c4ecd0e830 |
Entrypoint: | 0x417f60 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x63499D27 [Fri Oct 14 17:32:23 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add al, 00h |
add eax, dword ptr [eax] |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax+0000000Eh], al |
je 00007F4240CBB883h |
add al, byte ptr [eax+00000010h] |
inc esi |
loop 00007F4240CBB8A4h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x17f16 | 0x4a | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x18000 | 0x2e6a0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x48000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x15f66 | 0x16000 | False | 0.8551580255681818 | data | 7.692545334541179 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x18000 | 0x2e6a0 | 0x2e800 | False | 0.380859375 | data | 4.361154876770736 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x48000 | 0xc | 0x200 | False | 0.044921875 | data | 0.10191042566270775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x180ac | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | ||
RT_ICON | 0x288f8 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 38016 | ||
RT_ICON | 0x31dc4 | 0x67e8 | Device independent bitmap graphic, 80 x 160 x 32, image size 26560 | ||
RT_ICON | 0x385d0 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 21600 | ||
RT_ICON | 0x3da7c | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | ||
RT_ICON | 0x41cc8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | ||
RT_ICON | 0x44294 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | ||
RT_ICON | 0x45360 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | ||
RT_ICON | 0x45d0c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | ||
RT_GROUP_ICON | 0x461c2 | 0x84 | data | ||
RT_VERSION | 0x46282 | 0x1f8 | data | English | United States |
RT_MANIFEST | 0x464b6 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
185.216.71.4192.168.2.44449496932848152 10/14/22-20:02:21.540302 | TCP | 2848152 | ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
185.216.71.4192.168.2.44449496932850454 10/14/22-20:02:21.540302 | TCP | 2850454 | ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 14, 2022 20:02:21.450500011 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:21.477988005 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:21.478084087 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:21.511540890 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:21.540302038 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:21.545551062 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:21.576325893 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:21.633656025 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:28.169265032 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:28.245615959 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:28.245832920 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:28.324682951 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:38.525011063 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:38.602965117 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:38.604311943 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:38.683777094 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:38.699460030 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:38.837662935 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:38.865046024 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:39.025204897 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:39.228831053 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:39.309890985 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:39.309994936 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:39.389702082 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:46.155585051 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:46.338332891 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:46.365402937 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:46.525846004 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:48.812150955 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:48.890791893 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:48.890938044 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:48.964538097 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:49.026278019 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:49.053551912 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:49.101815939 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:49.190079927 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:49.190274954 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:49.270833969 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:59.102849960 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:59.180946112 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:59.181046963 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:59.240190029 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:59.292562962 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:59.320094109 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:59.339601040 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:59.416662931 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:02:59.416743994 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:02:59.494013071 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:09.435960054 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:09.513834000 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:09.517749071 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:09.546871901 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:09.684073925 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:09.711291075 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:09.788532019 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:09.866826057 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:09.869837046 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:09.947679043 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:16.045141935 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:16.090862989 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:16.118139982 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:16.168993950 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:19.771892071 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:19.849715948 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:19.849777937 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:19.928585052 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:20.699259043 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:20.794411898 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:20.821676970 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:20.903773069 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:20.990256071 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:21.067761898 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:21.067862988 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:21.146642923 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:30.094578028 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:30.187001944 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:30.187071085 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:30.242351055 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:30.295268059 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:30.322398901 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:30.398165941 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:30.473654032 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:30.473828077 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:30.544945002 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:40.383671999 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:40.451844931 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:40.452039957 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:40.498953104 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:40.546174049 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:40.573862076 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:40.624268055 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:40.732413054 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:40.809856892 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:40.809937954 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:40.887815952 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:46.449521065 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:46.499759912 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:46.527158976 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:46.577972889 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:50.597248077 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:50.676943064 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:50.677140951 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:50.706593037 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:50.750170946 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:50.778158903 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:50.796410084 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:50.874600887 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:03:50.874803066 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:03:50.955717087 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:00.930149078 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:01.007909060 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:01.010257006 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:01.088882923 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:01.108876944 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:01.157269955 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:01.184572935 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:01.235390902 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:02.593801022 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:02.680850029 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:02.680985928 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:02.758719921 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:11.234200001 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:11.321782112 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:11.327121019 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:11.397279024 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:11.449935913 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:11.477072001 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:11.499174118 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:11.577646971 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:11.579164028 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:11.656702995 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:16.126669884 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:16.169179916 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Oct 14, 2022 20:04:16.203320980 CEST | 4449 | 49693 | 185.216.71.4 | 192.168.2.4 |
Oct 14, 2022 20:04:16.278552055 CEST | 49693 | 4449 | 192.168.2.4 | 185.216.71.4 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 14, 2022 20:02:21.326102972 CEST | 60080 | 53 | 192.168.2.4 | 8.8.8.8 |
Oct 14, 2022 20:02:21.432149887 CEST | 53 | 60080 | 8.8.8.8 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 14, 2022 20:02:21.326102972 CEST | 192.168.2.4 | 8.8.8.8 | 0xc8f3 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 14, 2022 20:02:21.432149887 CEST | 8.8.8.8 | 192.168.2.4 | 0xc8f3 | No error (0) | 185.216.71.4 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 20:02:07 |
Start date: | 14/10/2022 |
Path: | C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x440000 |
File size: | 281600 bytes |
MD5 hash: | F1550A3B28BC977E1453701DE0EFC02B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
Target ID: | 1 |
Start time: | 20:02:15 |
Start date: | 14/10/2022 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x650000 |
File size: | 64616 bytes |
MD5 hash: | 6FD7592411112729BF6B1F2F6C34899F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | high |
Target ID: | 2 |
Start time: | 20:02:16 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd90000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 3 |
Start time: | 20:02:16 |
Start date: | 14/10/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 4 |
Start time: | 20:02:16 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd90000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 5 |
Start time: | 20:02:16 |
Start date: | 14/10/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 6 |
Start time: | 20:02:16 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd90000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 7 |
Start time: | 20:02:16 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1370000 |
File size: | 185856 bytes |
MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 8 |
Start time: | 20:02:17 |
Start date: | 14/10/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 9 |
Start time: | 20:02:19 |
Start date: | 14/10/2022 |
Path: | C:\Users\user\AppData\Roaming\msdtc\msdtc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x990000 |
File size: | 281600 bytes |
MD5 hash: | F1550A3B28BC977E1453701DE0EFC02B |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Antivirus matches: |
|
Target ID: | 10 |
Start time: | 20:02:30 |
Start date: | 14/10/2022 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x4c0000 |
File size: | 64616 bytes |
MD5 hash: | 6FD7592411112729BF6B1F2F6C34899F |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Target ID: | 11 |
Start time: | 20:02:31 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd90000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 12 |
Start time: | 20:02:31 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd90000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 13 |
Start time: | 20:02:31 |
Start date: | 14/10/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 14 |
Start time: | 20:02:31 |
Start date: | 14/10/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 15 |
Start time: | 20:02:31 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd90000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 16 |
Start time: | 20:02:32 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1370000 |
File size: | 185856 bytes |
MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 17 |
Start time: | 20:02:32 |
Start date: | 14/10/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 19 |
Start time: | 20:03:01 |
Start date: | 14/10/2022 |
Path: | C:\Users\user\AppData\Roaming\msdtc\msdtc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x910000 |
File size: | 281600 bytes |
MD5 hash: | F1550A3B28BC977E1453701DE0EFC02B |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
Target ID: | 21 |
Start time: | 20:03:12 |
Start date: | 14/10/2022 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x340000 |
File size: | 64616 bytes |
MD5 hash: | 6FD7592411112729BF6B1F2F6C34899F |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Target ID: | 22 |
Start time: | 20:03:13 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd90000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 23 |
Start time: | 20:03:13 |
Start date: | 14/10/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 24 |
Start time: | 20:03:13 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd90000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 25 |
Start time: | 20:03:14 |
Start date: | 14/10/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 26 |
Start time: | 20:03:14 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd90000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 27 |
Start time: | 20:03:14 |
Start date: | 14/10/2022 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1370000 |
File size: | 185856 bytes |
MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 28 |
Start time: | 20:03:14 |
Start date: | 14/10/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7c72c0000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Target ID: | 30 |
Start time: | 20:04:00 |
Start date: | 14/10/2022 |
Path: | C:\Users\user\AppData\Roaming\msdtc\msdtc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x750000 |
File size: | 281600 bytes |
MD5 hash: | F1550A3B28BC977E1453701DE0EFC02B |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
Function 00A2D3C8 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A2D4B4 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A2D3C3 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A2D4AF Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 18.9% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 33.3% |
Total number of Nodes: | 9 |
Total number of Limit Nodes: | 0 |
Graph
Function 00F22109 Relevance: 2.0, APIs: 1, Instructions: 457nativeCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00F2E8D0 Relevance: 1.6, Strings: 1, Instructions: 364COMMON
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00F22560 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00F29FE8 Relevance: .3, Instructions: 281COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00F2ACC0 Relevance: .3, Instructions: 266COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00F27504 Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00F255CC Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00D2D3B4 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00D2D3AF Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00F21590 Relevance: .4, Instructions: 388COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00F21580 Relevance: .3, Instructions: 320COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00F29CA0 Relevance: .2, Instructions: 238COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 35.4% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 6.1% |
Total number of Nodes: | 49 |
Total number of Limit Nodes: | 2 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E4170 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E416E Relevance: 1.6, APIs: 1, Instructions: 55COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E4258 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E4260 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E4440 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E443E Relevance: 1.5, APIs: 1, Instructions: 42threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0118D4B4 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0118D3C8 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0118D4AF Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0118D3C3 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 26.7% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 8 |
Total number of Limit Nodes: | 0 |
Graph
Function 02602109 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 460nativeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02602560 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 36.2% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 64 |
Total number of Limit Nodes: | 2 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01074170 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0107416E Relevance: 1.6, APIs: 1, Instructions: 55COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01074258 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01074260 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01074440 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0107443E Relevance: 1.5, APIs: 1, Instructions: 42threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0100D3C8 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0100D4B4 Relevance: .1, Instructions: 75COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0100D3C3 Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0100D4AF Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
Execution Coverage: | 25.2% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 8 |
Total number of Limit Nodes: | 0 |
Graph
Function 02532109 Relevance: 2.0, APIs: 1, Instructions: 451nativeCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02532560 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4D3B4 Relevance: .1, Instructions: 75COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00A4D3AF Relevance: .1, Instructions: 56COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E0A85 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E08AD Relevance: 1.4, Strings: 1, Instructions: 157COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E100B Relevance: 1.4, Strings: 1, Instructions: 147COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E2DE7 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E12E0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E12F4 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E0855 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E0EE9 Relevance: 1.3, Strings: 1, Instructions: 13COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E0878 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E0EF8 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E284C Relevance: .2, Instructions: 211COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E028D Relevance: .2, Instructions: 205COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E1BC2 Relevance: .2, Instructions: 176COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E0638 Relevance: .1, Instructions: 96COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E20DB Relevance: .1, Instructions: 62COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E2310 Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E1B48 Relevance: .0, Instructions: 42COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E151C Relevance: .0, Instructions: 38COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E0479 Relevance: .0, Instructions: 35COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E0488 Relevance: .0, Instructions: 27COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E27A2 Relevance: .0, Instructions: 20COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E060F Relevance: .0, Instructions: 19COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E0448 Relevance: .0, Instructions: 19COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E1B88 Relevance: .0, Instructions: 17COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E154C Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E2DD5 Relevance: .0, Instructions: 15COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E1BAE Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E27F2 Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E208B Relevance: .0, Instructions: 14COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E280F Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E2FCF Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E2FA7 Relevance: .0, Instructions: 5COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011E1E98 Relevance: .0, Instructions: 5COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |