Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample Name: | file.exe |
| Analysis ID: | 874613 |
| MD5: | 2df2884b8b1a86fa61343ea81352ec77 |
| SHA1: | 83dc7863e234f48607a16f0be43290259088dfd2 |
| SHA256: | e0cc3040ad1009bda35882a71398733e14701fc0829e2d5dc84d920f6a72ec42 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Writes to foreign memory regions
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
file.exe (PID: 7040 cmdline: C:\Users\u ser\Deskto p\file.exe MD5: 2DF2884B8B1A86FA61343EA81352EC77) 
conhost.exe (PID: 7016 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - InstallUtil.exe (PID: 7152 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\Inst allUtil.ex e MD5: EFEC8C379D165E3F33B536739AEE26A3)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen |
|
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_001BE3A0 | |
Networking | |
|---|
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | Binary or memory string: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_001B80B5 | |
| Source: | Code function: | 0_2_001AF192 | |
| Source: | Code function: | 0_2_001C0A05 | |
| Source: | Code function: | 0_2_001A2200 | |
| Source: | Code function: | 0_2_001C226A | |
| Source: | Code function: | 0_2_001B6638 | |
| Source: | Code function: | 0_2_001BC6C9 | |
| Source: | Code function: | 0_2_001B26E0 | |
| Source: | Code function: | 2_2_02AB8628 | |
| Source: | Code function: | 2_2_02AB8618 | |
| Source: | Code function: | 2_2_05522B18 | |
| Source: | Code function: | 2_2_05A1F130 | |
| Source: | Code function: | 2_2_05A11320 | |
| Source: | Code function: | 2_2_05A1FAA0 | |
| Source: | Code function: | 2_2_05A11310 | |
| Source: | Code function: | 2_2_05A1ED98 | |
| Source: | Code function: | 2_2_05A18E28 | |
| Source: | Code function: | 2_2_05A18E1A | |
| Source: | Code function: | 0_2_001A2660 | |
| Source: | Static PE information: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_001A9A69 | |
| Source: | Code function: | 2_2_02AB4B21 | |
| Source: | Code function: | 2_2_02ABACA9 | |
| Source: | Code function: | 2_2_0552718E | |
| Source: | Code function: | 2_2_055272D3 | |
| Source: | Code function: | 2_2_05526FFF | |
| Source: | Code function: | 2_2_05527ADE | |
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Registry key enumerated: | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_001BE3A0 | |
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_001AA085 | |
| Source: | Code function: | 0_2_001C1B1A | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Code function: | 0_2_001BF51B | |
| Source: | Code function: | 0_2_001B3E39 | |
| Source: | Code function: | 2_2_02AB9540 | |
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 0_2_001AA1E7 | |
| Source: | Code function: | 0_2_001AA085 | |
| Source: | Code function: | 0_2_001AFC47 | |
| Source: | Code function: | 0_2_001A9D60 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_001C18B8 | |
| Source: | Code function: | 0_2_001C11F6 | |
| Source: | Code function: | 0_2_001C1241 | |
| Source: | Code function: | 0_2_001C12DC | |
| Source: | Code function: | 0_2_001C1367 | |
| Source: | Code function: | 0_2_001B8C2E | |
| Source: | Code function: | 0_2_001C15BA | |
| Source: | Code function: | 0_2_001C16E3 | |
| Source: | Code function: | 0_2_001B8708 | |
| Source: | Code function: | 0_2_001C0F54 | |
| Source: | Code function: | 0_2_001C17E9 | |
| Source: | Code function: | 0_2_001A9B4C | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_001A9F7F | |
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 131 Windows Management Instrumentation | Path Interception | 311 Process Injection | 1 Masquerading | 1 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Disable or Modify Tools | 1 Input Capture | 151 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 11 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 141 Virtualization/Sandbox Evasion | Security Account Manager | 11 Process Discovery | SMB/Windows Admin Shares | 2 Data from Local System | Automated Exfiltration | 1 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 311 Process Injection | NTDS | 141 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | 3 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Deobfuscate/Decode Files or Information | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Data Transfer Size Limits | 3 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 2 Obfuscated Files or Information | Cached Domain Credentials | 1 Remote System Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 System Network Configuration Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 1 File and Directory Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | 54 System Information Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 57% | ReversingLabs | Win32.Trojan.RedLine | ||
| 56% | Virustotal | Browse | ||
| 100% | Avira | HEUR/AGEN.1305142 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 2% | Virustotal | Browse | ||
| 7% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| ip-api.com | 208.95.112.1 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| low | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 208.95.112.1 | ip-api.com | United States | 53334 | TUT-ASUS | false | |
| 193.233.232.195 | unknown | Russian Federation | 2895 | FREE-NET-ASFREEnetEU | false | |
| 85.192.63.194 | unknown | Russian Federation | 47711 | LINEGROUP-ASRU | false |
| Joe Sandbox Version: | 37.1.0 Beryl |
| Analysis ID: | 874613 |
| Start date and time: | 2023-05-24 14:08:45 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 8m 53s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | file.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/12@1/3 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
| Time | Type | Description |
|---|---|---|
| 14:10:30 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 208.95.112.1 | Get hash | malicious | Clipboard Hijacker, Quasar | Browse |
| |
| Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | BlackGuard | Browse |
| ||
| Get hash | malicious | BlackGuard | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
| Get hash | malicious | Blank Grabber | Browse |
| ||
| Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ip-api.com | Get hash | malicious | Clipboard Hijacker, Quasar | Browse |
| |
| Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
| Get hash | malicious | AsyncRAT, StormKitty, VenomRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT, StormKitty, VenomRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | BlackGuard | Browse |
| ||
| Get hash | malicious | BlackGuard | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT, XWorm | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| FREE-NET-ASFREEnetEU | Get hash | malicious | Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader | Browse |
| |
| Get hash | malicious | Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Stealc | Browse |
| ||
| Get hash | malicious | Amadey, Babuk, Clipboard Hijacker, Djvu, SmokeLoader | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| TUT-ASUS | Get hash | malicious | Clipboard Hijacker, Quasar | Browse |
| |
| Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
| Get hash | malicious | AsyncRAT, StormKitty, VenomRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | BlackGuard | Browse |
| ||
| Get hash | malicious | BlackGuard | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | WSHRAT | Browse |
| ||
| Get hash | malicious | Gurcu Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
| Get hash | malicious | Blank Grabber | Browse |
|
⊘No context
⊘No context
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1537 |
| Entropy (8bit): | 5.365372657477488 |
| Encrypted: | false |
| SSDEEP: | 48:MxHKXwYHKhQnoPtHoxHhAHKzv7HG1qHjHK9HK+HKoHK:iqXwYqhQnoPtIxHeqzjmwDq9q+qoq |
| MD5: | B7AEB06595355BCF5CC32F01B9BCCCAE |
| SHA1: | A1336BBBF39EAFF0182ADEBE6619082F3C48D9DC |
| SHA-256: | D7AFE14B632165CF0CE2AB27840624FDF3F5D3E4D52F0D48990A82E25120BECB |
| SHA-512: | 9F09D98517FEC9EAFE95328644A90692C2699A27D04DF7C382443FB0C2A63E5941A34EFEA481B85949B03531D394874AC8E95C0752B5AED9AB6523EF467C76EA |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 49152 |
| Entropy (8bit): | 0.7876734657715041 |
| Encrypted: | false |
| SSDEEP: | 48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO |
| MD5: | CF7758A2FF4A94A5D589DEBAED38F82E |
| SHA1: | D3380E70D0CAEB9AD78D14DD970EA480E08232B8 |
| SHA-256: | 6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F |
| SHA-512: | 1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 28672 |
| Entropy (8bit): | 0.4393511334109407 |
| Encrypted: | false |
| SSDEEP: | 24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl |
| MD5: | 8C31C5487A97BBE73711C5E20600C1F6 |
| SHA1: | D4D6B04226D8FFC894749B3963E7DB7068D6D773 |
| SHA-256: | A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A |
| SHA-512: | 394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 94208 |
| Entropy (8bit): | 1.2889923589460437 |
| Encrypted: | false |
| SSDEEP: | 192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944 |
| MD5: | 7901DD9DF50A993306401B7360977746 |
| SHA1: | E5BA33E47A3A76CC009EC1D63C5D1A810BE40521 |
| SHA-256: | 1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9 |
| SHA-512: | 90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\analworker\user@305090_en-US_2023_05_25_00_09_46@v1.3.2.zip 
Download File
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 88650 |
| Entropy (8bit): | 7.995845561610413 |
| Encrypted: | true |
| SSDEEP: | 1536:j8+sJ5f4RXqdWE0p5k3AmGVqCBueq79qQvvf1vCQr9auHNA4hEkC6m3:j8+sT4X8AmGdw7QYfxJa4A4uT6m3 |
| MD5: | D7F030C63533E519BCD35BA57B017B7C |
| SHA1: | C9C72663515EA4224415F1ECFBEEEE159FA5CD7B |
| SHA-256: | E0C0F307035386D6191A95CCAF4E418CFFCA0F604D026993790C9FBB1E719D9D |
| SHA-512: | 0EED9BEFBC1009D8E366D901A49250169C2008768DEB1779C15A1CEC34110AB66E6AADA0BC6C3E2750D928CEB92A40EFB0BA0DBF739CA821EB3C9E9E9FCFA86E |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\analworker\user@305090_en-US_2023_05_25_00_09_46@v1.3.2\Information.txt
Download File
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 473 |
| Entropy (8bit): | 5.556871807242889 |
| Encrypted: | false |
| SSDEEP: | 6:0MQaSiiyRo1j0+4BjeGBf3tUA7lx2Idvse4vzWYumZrZYCRViA7bvFIpsUh8Nn:0MQ4DiYxkJAP2Ut4qYhZYKh8Bh8N |
| MD5: | D510C02C0E3D3E1EEA2047FB36FC648E |
| SHA1: | 637A1DCA445EF319D46645C1D56A2D73EABE4450 |
| SHA-256: | 8584D4B4D64141BFD7CDDAEAAB6F5327BC179288F0205B52DBED7F918A566FA5 |
| SHA-512: | 1F826EB53C70B53A1A15859DDF3DB37B4A56A10A808A5EF178D43A11374EB88A1AD4902DB69869460F01516FADD142AEAF784B0337280E27279BEFE607DABB12 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\analworker\user@305090_en-US_2023_05_25_00_09_46@v1.3.2\Processes.txt
Download File
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 21648 |
| Entropy (8bit): | 5.751110016568791 |
| Encrypted: | false |
| SSDEEP: | 192:4z9PRuQuWfMX8OeK5O70GVRSTzUgrdX0cZl6OIxrbp6AkqwfOuGC0PXIHj/i5t3z:MXSs0HlUBOW6M+OKQ |
| MD5: | D6CDA8BEF8464935608D84B349D425BF |
| SHA1: | F75DE69262D22BB5A22CB84B238ECC6BE23893A8 |
| SHA-256: | 7C484B0C73EC2FC135BE9153ECE3C04BCBF190BFFECCC8B808051542F1DFA085 |
| SHA-512: | 5D0C1FBE984AFAD6D26C1DD45776B68ED82543745CBF8009E979B5B3D761E6514D54E28F8DFA1AF135B26BCFE2155792C952668CADBD049C27A419E346FC8E84 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\analworker\user@305090_en-US_2023_05_25_00_09_46@v1.3.2\Screenshot.jpg
Download File
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 84470 |
| Entropy (8bit): | 7.898142179157835 |
| Encrypted: | false |
| SSDEEP: | 1536:CmdwWq7SzqenFHH9dUP9lBrCMFdmiNR1RJIBmnVBREXpbiRPDxU:vdwWqezqgpH4BrCum6IUnzR81YU |
| MD5: | E9612967119F75EC50D28AE47DABF923 |
| SHA1: | 8399AAEAFEF1258C62557D7EF6D35F8A0C3C621F |
| SHA-256: | 7F7E9492CEE63F31B5B26ADE570D5DFC5E3AD2197CB7F91DB3C92F7AFFCA526B |
| SHA-512: | 5FAB6039A1CAE905D6790A01362676B2E7B30A1A9971E36374E26F20F7F68186B4C6EB299E68AE165523BAE4814B95C14EF8956A7AD205BCC491F55FCDFF4A21 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\analworker\user@305090_en-US_2023_05_25_00_09_46@v1.3.2\Software.txt
Download File
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 38204 |
| Entropy (8bit): | 5.140010169770588 |
| Encrypted: | false |
| SSDEEP: | 96:cBD16fzBVrNpcCWKXOJDpVX8dEXOr8VtSZuRc85+8/1165N6N8HC6N8an6N8ds6n:0AfgW0ddrAA1YBrAft8MWdvnIHPHtdW |
| MD5: | A2A658925244F28F9BEAE4C9F64AA67B |
| SHA1: | F1A4135EE2F9BD9A55B087A943EAF2DED33B4312 |
| SHA-256: | 0B2CB54E08BCF114DA125138E781EF8B62DADCD6E5A8DD6922045DD984EE7F28 |
| SHA-512: | EF88E2A2285210BE90C627360FAD1AD231329AA084E1E79F00273FE4E5F782BEE448A3959E167CC8064E407E4298648C7EC880A155ADD87C0DF4F4B39B74884B |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\analworker\user@305090_en-US_2023_05_25_00_09_46@v1.3.2\Windows.txt
Download File
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 18260 |
| Entropy (8bit): | 5.718496242977151 |
| Encrypted: | false |
| SSDEEP: | 192:g6zzS0f50usL1gqaOQ0q6MXT8OTKI1oY7j+GlRKUqPDLtgg5ZuDvI0o9QyCD44ZH:lJIFgD |
| MD5: | C45A716A68C3954AA5BFD070F489C707 |
| SHA1: | 780E376783663263B23DF6545551D89E9D8AC668 |
| SHA-256: | B18A54BEEB651DF3DDD8163EE4C22F4D331D56C8B88A332E75D8C31C02CFE602 |
| SHA-512: | F88A0F283128CD26FCB65E1B755D0A7C9A716741120E45015DAB772A556800C94F7F473C31D24A7B2CCB87C05F3138F6E2DAF2CD708A45D369256E2EA5B36619 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 13 |
| Entropy (8bit): | 3.0269868333592873 |
| Encrypted: | false |
| SSDEEP: | 3:r+FGn:rIGn |
| MD5: | BCA2CD848281D1BE066F6662DBE553C9 |
| SHA1: | A364F1914422B75E0D1F702696356B93A1F4DCFD |
| SHA-256: | 297AD70879E17987BFEEFCB929FB7243F09D838FB00A3FD54E90E0130B60635B |
| SHA-512: | 4770FE3C24E97155E13B67921374EE8138EC4DE1D614B90CE8B9CFE892D25B84C388A3996E644DF4926921CD38934CBD35E955C3659D6A152DFA591DF81D1739 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 208 |
| Entropy (8bit): | 4.014803491654171 |
| Encrypted: | false |
| SSDEEP: | 3:J+Q1EEOR425Q425Q425Q425Q425Q425Q425Q425Q42fWXHyv:J1+42i42i42i42i42i42i42i42i42fQc |
| MD5: | 7A1F4A8B1C6E0E98A5A77BE8161835E4 |
| SHA1: | 27525727A833A283E897317B1BC229B36EE0B004 |
| SHA-256: | 45B297BC10BFBB2EF96AF2AD176C88D6C90C33EB786A6A4230498F1E1AECECB1 |
| SHA-512: | E6253073BD79E552E500DE6E2BC07A123B7EE99BA19EDB8909FC7BDC21621E2E90DE42D6E7DD5986C450276A0CC95EC1425997A2A58D01FC2E217542A9B5A6E8 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 3.2880071723280664 |
| TrID: |
|
| File name: | file.exe |
| File size: | 1219328 |
| MD5: | 2df2884b8b1a86fa61343ea81352ec77 |
| SHA1: | 83dc7863e234f48607a16f0be43290259088dfd2 |
| SHA256: | e0cc3040ad1009bda35882a71398733e14701fc0829e2d5dc84d920f6a72ec42 |
| SHA512: | 33b20badf32f3837d6386a4a891d2da2184068f4b3b14ce4e111bb16fed5f92d2822a2ce67d67a2ad71ca7dc6412546ddb77ff41922b0aa1202824b6164ff51b |
| SSDEEP: | 12288:wPCpeRXPo3ZYOlNLOPZ7lxwberqf/9ssT:wP/PC5f4lGb2e/qM |
| TLSH: | 4245D012B5E2C072D873153209E8DBBA5A7D79304B6599DF63E40F7E8F302C19732A66 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.I.{.'.{.'.{.'...$.v.'..."...'...#.m.'.4.#.j.'.4.$.n.'...&.~.'.{.&. .'.4.".5.'.....z.'...%.z.'.Rich{.'........................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x4097fb |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x646D156E [Tue May 23 19:35:10 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 632364d9eea56f3f6aa7f9395c999741 |
| Signature Valid: | false |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The digital signature of the object did not verify |
| Error Number: | -2146869232 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 4044C5CA5550239BD53D4ECC63101E35 |
| Thumbprint SHA-1: | 53B2422E8E2E074AC57CB9A73E004AF7DF8BF64A |
| Thumbprint SHA-256: | 73E3F0EEEB0B014D86EAE8266089DFCB490EA34296D4F67C90276D7888F0CD99 |
| Serial: | 0160C5354D861DED2F317645DC3FABCA |
| Instruction |
|---|
| call 00007F51E8C051F1h |
| jmp 00007F51E8C04899h |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| push esi |
| mov ecx, dword ptr [eax+3Ch] |
| add ecx, eax |
| movzx eax, word ptr [ecx+14h] |
| lea edx, dword ptr [ecx+18h] |
| add edx, eax |
| movzx eax, word ptr [ecx+06h] |
| imul esi, eax, 28h |
| add esi, edx |
| cmp edx, esi |
| je 00007F51E8C04A3Bh |
| mov ecx, dword ptr [ebp+0Ch] |
| cmp ecx, dword ptr [edx+0Ch] |
| jc 00007F51E8C04A2Ch |
| mov eax, dword ptr [edx+08h] |
| add eax, dword ptr [edx+0Ch] |
| cmp ecx, eax |
| jc 00007F51E8C04A2Eh |
| add edx, 28h |
| cmp edx, esi |
| jne 00007F51E8C04A0Ch |
| xor eax, eax |
| pop esi |
| pop ebp |
| ret |
| mov eax, edx |
| jmp 00007F51E8C04A1Bh |
| push esi |
| call 00007F51E8C054CBh |
| test eax, eax |
| je 00007F51E8C04A42h |
| mov eax, dword ptr fs:[00000018h] |
| mov esi, 00462A7Ch |
| mov edx, dword ptr [eax+04h] |
| jmp 00007F51E8C04A26h |
| cmp edx, eax |
| je 00007F51E8C04A32h |
| xor eax, eax |
| mov ecx, edx |
| lock cmpxchg dword ptr [esi], ecx |
| test eax, eax |
| jne 00007F51E8C04A12h |
| xor al, al |
| pop esi |
| ret |
| mov al, 01h |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| cmp dword ptr [ebp+08h], 00000000h |
| jne 00007F51E8C04A29h |
| mov byte ptr [00462A80h], 00000001h |
| call 00007F51E8C04CE1h |
| call 00007F51E8C07A6Eh |
| test al, al |
| jne 00007F51E8C04A26h |
| xor al, al |
| pop ebp |
| ret |
| call 00007F51E8C10CE0h |
| test al, al |
| jne 00007F51E8C04A2Ch |
| push 00000000h |
| call 00007F51E8C07A75h |
| pop ecx |
| jmp 00007F51E8C04A0Bh |
| mov al, 01h |
| pop ebp |
| ret |
| push ebp |
| mov ebp, esp |
| cmp byte ptr [00462A81h], 00000000h |
| je 00007F51E8C04A26h |
| mov al, 01h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x345e0 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x1100 | 0x300 | .text |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x127200 | 0x2900 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x64000 | 0x1e20 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x327d0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x32710 | 0x0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x27000 | 0x144 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x25bfe | 0x25c00 | False | 0.5696528352649006 | data | 6.659421688226366 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x27000 | 0xdd32 | 0xde00 | False | 0.5167863175675675 | data | 5.528073599858321 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x35000 | 0x2e5a0 | 0x2d800 | False | 0.9810858087225275 | DOS executable (block device driver \377\377\377\377N,32-bit sector-support) | 7.976693437889122 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x64000 | 0x1e20 | 0x2000 | False | 0.715576171875 | data | 6.419199267341691 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .D_Haze | 0x66000 | 0xc394c | 0xc3a00 | False | 0.001094498801916933 | data | 0.0012512738879872786 | IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_SHARED |
| DLL | Import |
|---|---|
| USER32.dll | CreatePopupMenu, ShowWindow, EmptyClipboard |
| KERNEL32.dll | GetProcAddress, CreateFileW, HeapSize, GetProcessHeap, GetModuleHandleW, GetConsoleWindow, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, SetStdHandle, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, WriteConsoleW, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 24, 2023 14:09:51.579485893 CEST | 49705 | 80 | 192.168.2.7 | 208.95.112.1 |
| May 24, 2023 14:09:51.615478039 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.7 |
| May 24, 2023 14:09:51.615689039 CEST | 49705 | 80 | 192.168.2.7 | 208.95.112.1 |
| May 24, 2023 14:09:51.616072893 CEST | 49705 | 80 | 192.168.2.7 | 208.95.112.1 |
| May 24, 2023 14:09:51.657805920 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.7 |
| May 24, 2023 14:09:51.706315041 CEST | 49705 | 80 | 192.168.2.7 | 208.95.112.1 |
| May 24, 2023 14:10:10.024647951 CEST | 49706 | 8899 | 192.168.2.7 | 193.233.232.195 |
| May 24, 2023 14:10:13.207962990 CEST | 49706 | 8899 | 192.168.2.7 | 193.233.232.195 |
| May 24, 2023 14:10:19.208592892 CEST | 49706 | 8899 | 192.168.2.7 | 193.233.232.195 |
| May 24, 2023 14:10:29.021482944 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.7 |
| May 24, 2023 14:10:29.021658897 CEST | 49705 | 80 | 192.168.2.7 | 208.95.112.1 |
| May 24, 2023 14:10:31.335731983 CEST | 49707 | 12345 | 192.168.2.7 | 193.233.232.195 |
| May 24, 2023 14:10:31.367582083 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.367723942 CEST | 49707 | 12345 | 192.168.2.7 | 193.233.232.195 |
| May 24, 2023 14:10:31.368931055 CEST | 49707 | 12345 | 192.168.2.7 | 193.233.232.195 |
| May 24, 2023 14:10:31.400773048 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.400841951 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.400876999 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.401267052 CEST | 49707 | 12345 | 192.168.2.7 | 193.233.232.195 |
| May 24, 2023 14:10:31.433562040 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.433605909 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.433906078 CEST | 49707 | 12345 | 192.168.2.7 | 193.233.232.195 |
| May 24, 2023 14:10:31.465743065 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.465790033 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.465920925 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.465974092 CEST | 49707 | 12345 | 192.168.2.7 | 193.233.232.195 |
| May 24, 2023 14:10:31.466140032 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.466698885 CEST | 49707 | 12345 | 192.168.2.7 | 193.233.232.195 |
| May 24, 2023 14:10:31.466738939 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.497973919 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.498127937 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.498184919 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.499521017 CEST | 12345 | 49707 | 193.233.232.195 | 192.168.2.7 |
| May 24, 2023 14:10:31.499661922 CEST | 49707 | 12345 | 192.168.2.7 | 193.233.232.195 |
| May 24, 2023 14:10:31.604773998 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.640449047 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.640604019 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.641706944 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.673569918 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.674005032 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.674782038 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.675878048 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.677144051 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.678217888 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.706753016 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.707767963 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.707849979 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.707910061 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.707994938 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.708996058 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.709023952 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.709120035 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.710179090 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.710294008 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.739969969 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.740022898 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.740041018 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.740223885 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.740329027 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.741111994 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.741261959 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.742234945 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.742369890 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.748014927 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.772351027 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.772394896 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.772461891 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:31.772483110 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.773039103 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.773247957 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.773457050 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.774255991 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.774363995 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.804474115 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:31.804517031 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:32.006870031 CEST | 49705 | 80 | 192.168.2.7 | 208.95.112.1 |
| May 24, 2023 14:10:32.042885065 CEST | 80 | 49705 | 208.95.112.1 | 192.168.2.7 |
| May 24, 2023 14:10:32.203778982 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:32.203819990 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| May 24, 2023 14:10:32.203891993 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:32.204457045 CEST | 49708 | 5001 | 192.168.2.7 | 85.192.63.194 |
| May 24, 2023 14:10:32.236315966 CEST | 5001 | 49708 | 85.192.63.194 | 192.168.2.7 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 24, 2023 14:09:51.471364975 CEST | 53336 | 53 | 192.168.2.7 | 8.8.8.8 |
| May 24, 2023 14:09:51.498056889 CEST | 53 | 53336 | 8.8.8.8 | 192.168.2.7 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| May 24, 2023 14:09:51.471364975 CEST | 192.168.2.7 | 8.8.8.8 | 0x93a9 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| May 24, 2023 14:09:51.498056889 CEST | 8.8.8.8 | 192.168.2.7 | 0x93a9 | No error (0) | 208.95.112.1 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.7 | 49705 | 208.95.112.1 | 80 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| May 24, 2023 14:09:51.616072893 CEST | 93 | OUT | |
| May 24, 2023 14:09:51.657805920 CEST | 93 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.2.7 | 49708 | 85.192.63.194 | 5001 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| May 24, 2023 14:10:31.641706944 CEST | 183 | OUT | |
| May 24, 2023 14:10:31.674005032 CEST | 183 | IN | |
| May 24, 2023 14:10:31.706753016 CEST | 196 | IN | |
| May 24, 2023 14:10:32.203778982 CEST | 273 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:09:44 |
| Start date: | 24/05/2023 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1a0000 |
| File size: | 1219328 bytes |
| MD5 hash: | 2DF2884B8B1A86FA61343EA81352EC77 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Target ID: | 1 |
| Start time: | 14:09:44 |
| Start date: | 24/05/2023 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6edaf0000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 2 |
| Start time: | 14:09:45 |
| Start date: | 24/05/2023 |
| Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x990000 |
| File size: | 41064 bytes |
| MD5 hash: | EFEC8C379D165E3F33B536739AEE26A3 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | high |
Execution Graph
| Execution Coverage: | 6.5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 2.6% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 79 |
Graph
Function 001A2660 Relevance: 51.0, APIs: 14, Strings: 15, Instructions: 284nativethreadmemoryCOMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 55% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001AA1E7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001BF51B Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001B3E39 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001B88D1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 76% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001A7A7F Relevance: 7.5, APIs: 5, Instructions: 49COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 74% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001BF0F3 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 19% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001A1990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 74% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 93% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 81% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001B7BCB Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 86% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001A71DC Relevance: 1.6, APIs: 1, Instructions: 107COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 43% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| C-Code - Quality: 85% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001B6392 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001B6429 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001A8284 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
Control-flow Graph
| C-Code - Quality: 82% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001A884F Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| C-Code - Quality: 82% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001A7BA9 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| C-Code - Quality: 93% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 61% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001C226A Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONCrypto
Download Yara Rule
| C-Code - Quality: 70% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001C16E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 96% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 87% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001C0F54 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 70% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001B6638 Relevance: 6.3, APIs: 4, Instructions: 337COMMONCrypto
Download Yara Rule
| C-Code - Quality: 82% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001AA085 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| C-Code - Quality: 85% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001C1367 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| C-Code - Quality: 90% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 78% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001B26E0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONCrypto
Download Yara Rule
| C-Code - Quality: 94% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001B80B5 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODECrypto
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001A9B4C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| C-Code - Quality: 88% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001BE3A0 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
Download Yara Rule
| C-Code - Quality: 78% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 89% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001C15BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| C-Code - Quality: 64% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 91% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001C17E9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| C-Code - Quality: 87% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 83% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001C1B1A Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001BC6C9 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001C0A05 Relevance: .3, Instructions: 327COMMONCrypto
Download Yara Rule
| C-Code - Quality: 73% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001A2200 Relevance: .1, Instructions: 119COMMONCrypto
Download Yara Rule
| C-Code - Quality: 67% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 71% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 71% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 67% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001ACCE8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 63% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001BBA6C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 77% |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 82% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 82% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001B3E5B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 25% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001BC276 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
Download Yara Rule
| C-Code - Quality: 60% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001A5170 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
Download Yara Rule
| C-Code - Quality: 66% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001A679D Relevance: 7.5, APIs: 5, Instructions: 49COMMON
Download Yara Rule
| C-Code - Quality: 76% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001A2130 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 60% |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001ADAC2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 76% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 63% |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001BE15D Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001B319D Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| C-Code - Quality: 100% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| C-Code - Quality: 68% |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 001AD08D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
Download Yara Rule
| C-Code - Quality: 63% |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 15.4% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 52 |
| Total number of Limit Nodes: | 2 |
Graph
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05522B18 Relevance: .3, Instructions: 337COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05A1C5DC Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05A19A6C Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02AB9530 Relevance: 1.6, APIs: 1, Instructions: 77libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02ABEC98 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02ABEC88 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05A127E2 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02AB9364 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05A12832 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 02AB9376 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055244E0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05523D48 Relevance: .4, Instructions: 373COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05520A28 Relevance: .3, Instructions: 267COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05520F68 Relevance: .2, Instructions: 221COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05522340 Relevance: .2, Instructions: 197COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055209D8 Relevance: .2, Instructions: 177COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05521358 Relevance: .2, Instructions: 152COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05523530 Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055219C0 Relevance: .1, Instructions: 134COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055219B0 Relevance: .1, Instructions: 126COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05521DA0 Relevance: .1, Instructions: 114COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05521D92 Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05521428 Relevance: .1, Instructions: 106COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05524CF7 Relevance: .1, Instructions: 103COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05524348 Relevance: .1, Instructions: 99COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05522330 Relevance: .1, Instructions: 97COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05521670 Relevance: .1, Instructions: 94COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05520738 Relevance: .1, Instructions: 92COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05523C48 Relevance: .1, Instructions: 91COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05521661 Relevance: .1, Instructions: 86COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05520418 Relevance: .1, Instructions: 85COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05522178 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055224D8 Relevance: .1, Instructions: 72COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05522188 Relevance: .1, Instructions: 69COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055225AD Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055225B8 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05523470 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05523460 Relevance: .1, Instructions: 60COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05520360 Relevance: .1, Instructions: 58COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05520040 Relevance: .1, Instructions: 56COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05524F69 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055215B8 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05522298 Relevance: .1, Instructions: 52COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05524F70 Relevance: .1, Instructions: 51COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05522F90 Relevance: .0, Instructions: 49COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05523520 Relevance: .0, Instructions: 48COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 051111A8 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0511114C Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05522288 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05520D96 Relevance: .0, Instructions: 40COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055243C8 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05111088 Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0552040A Relevance: .0, Instructions: 36COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05524338 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05524480 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05524CB0 Relevance: .0, Instructions: 30COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055203B8 Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05520EBF Relevance: .0, Instructions: 28COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05520370 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05520DC8 Relevance: .0, Instructions: 26COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 051105E9 Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05523423 Relevance: .0, Instructions: 24COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05522F80 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05524C73 Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055203C8 Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 051105F0 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05524C78 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05524CC0 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05524490 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 051102D3 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 051111F8 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05111288 Relevance: .0, Instructions: 17COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0511125C Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05111234 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05522A14 Relevance: .0, Instructions: 13COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0511027A Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055236C8 Relevance: .0, Instructions: 12COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 051110D8 Relevance: .0, Instructions: 9COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 051102E8 Relevance: .0, Instructions: 9COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05525221 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05525230 Relevance: .0, Instructions: 6COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0511031B Relevance: .0, Instructions: 5COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05111250 Relevance: .0, Instructions: 5COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05523C2B Relevance: .0, Instructions: 3COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 05111452 Relevance: .0, Instructions: 2COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |