Windows
Analysis Report
file.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- file.exe (PID: 5356 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: E0E8E64DFAD5B7DCAE0D8C569C3995A2) - cmd.exe (PID: 1188 cmdline:
"C:\Window s\System32 \cmd.exe" /c taskkil l /im "fil e.exe" /f & erase "C :\Users\us er\Desktop \file.exe" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 3448 cmdline:
taskkill / im "file.e xe" /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - WerFault.exe (PID: 7072 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 356 -s 150 4 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
GCleaner | No Attribution |
{"C2 addresses": ["80.66.75.114"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | IPs: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_004018E0 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00404530 | |
Source: | Code function: | 0_2_00422900 | |
Source: | Code function: | 0_2_004132D4 | |
Source: | Code function: | 0_2_00413AB9 | |
Source: | Code function: | 0_2_004096D0 | |
Source: | Code function: | 0_2_005F9937 | |
Source: | Code function: | 0_2_0060353B | |
Source: | Code function: | 0_2_005F4797 |
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Code function: | 0_2_007C51AE |
Source: | Code function: | 0_2_004018E0 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Command line argument: | 0_2_00404530 | |
Source: | Command line argument: | 0_2_00404530 | |
Source: | Command line argument: | 0_2_005F4797 | |
Source: | Command line argument: | 0_2_005F4797 | |
Source: | Command line argument: | 0_2_005F4797 |
Source: | Static PE information: |
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Data Obfuscation |
---|
Source: | Unpacked PE file: |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_00408401 | |
Source: | Code function: | 0_2_0040FEBB | |
Source: | Code function: | 0_2_00604087 | |
Source: | Code function: | 0_2_00600122 | |
Source: | Code function: | 0_2_0060C579 | |
Source: | Code function: | 0_2_005F8668 | |
Source: | Code function: | 0_2_0060467E | |
Source: | Code function: | 0_2_007C7444 | |
Source: | Code function: | 0_2_007C6905 | |
Source: | Code function: | 0_2_007C7118 | |
Source: | Code function: | 0_2_007C81F9 | |
Source: | Code function: | 0_2_007C5EB4 | |
Source: | Code function: | 0_2_007C9F0C | |
Source: | Code function: | 0_2_007C9F0C | |
Source: | Code function: | 0_2_007C871C | |
Source: | Code function: | 0_2_007C9F0C |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | API coverage: |
Source: | Last function: |
Source: | Code function: | 0_2_004306A8 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_004018E0 |
Source: | Code function: | 0_2_004084E5 |
Source: | Code function: | 0_2_00411002 | |
Source: | Code function: | 0_2_0040C4F1 | |
Source: | Code function: | 0_2_005F092B | |
Source: | Code function: | 0_2_00601269 | |
Source: | Code function: | 0_2_005F0D90 | |
Source: | Code function: | 0_2_005FC758 | |
Source: | Code function: | 0_2_007C4A8B |
Source: | Code function: | 0_2_004168EC |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 0_2_00407B06 | |
Source: | Code function: | 0_2_004084E5 | |
Source: | Code function: | 0_2_00408679 | |
Source: | Code function: | 0_2_0040BFEB | |
Source: | Code function: | 0_2_005F88E0 | |
Source: | Code function: | 0_2_005FC252 | |
Source: | Code function: | 0_2_005F7D6D | |
Source: | Code function: | 0_2_005F874C |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_004086E3 |
Source: | Code function: | 0_2_00418885 | |
Source: | Code function: | 0_2_00418910 | |
Source: | Code function: | 0_2_00411112 | |
Source: | Code function: | 0_2_00418B63 | |
Source: | Code function: | 0_2_00418C89 | |
Source: | Code function: | 0_2_00418D8F | |
Source: | Code function: | 0_2_00418E5E | |
Source: | Code function: | 0_2_00411634 | |
Source: | Code function: | 0_2_004187EA | |
Source: | Code function: | 0_2_0041879F | |
Source: | Code function: | 0_2_006090C5 | |
Source: | Code function: | 0_2_0060189B | |
Source: | Code function: | 0_2_00608A51 | |
Source: | Code function: | 0_2_00608A06 | |
Source: | Code function: | 0_2_00608AEC | |
Source: | Code function: | 0_2_00608B77 | |
Source: | Code function: | 0_2_00601379 | |
Source: | Code function: | 0_2_00608DCA | |
Source: | Code function: | 0_2_00608EF0 | |
Source: | Code function: | 0_2_00608FF6 |
Source: | Code function: | 0_2_0040C891 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 11 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 23 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
31% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
19% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
9% | Virustotal | Browse | ||
8% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
16% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
17% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
12% | Virustotal | Browse | ||
8% | Virustotal | Browse | ||
9% | Virustotal | Browse | ||
16% | Virustotal | Browse |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
80.66.75.114 | unknown | Russian Federation | 20803 | RISS-ASRU | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1500394 |
Start date and time: | 2024-08-28 12:04:05 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 9s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 11 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | file.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@7/8@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.182.143.212
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
06:05:36 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
80.66.75.114 | Get hash | malicious | GCleaner, Nymaim | Browse |
| |
Get hash | malicious | GCleaner, Nymaim | Browse |
| ||
Get hash | malicious | GCleaner, Nymaim | Browse |
| ||
Get hash | malicious | GCleaner, Nymaim | Browse |
| ||
Get hash | malicious | GCleaner | Browse |
| ||
Get hash | malicious | GCleaner | Browse |
| ||
Get hash | malicious | GCleaner, Vidar | Browse |
| ||
Get hash | malicious | GCleaner, Nymaim | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
RISS-ASRU | Get hash | malicious | GCleaner, Nymaim | Browse |
| |
Get hash | malicious | GCleaner, Nymaim | Browse |
| ||
Get hash | malicious | GCleaner, Nymaim | Browse |
| ||
Get hash | malicious | GCleaner, Nymaim | Browse |
| ||
Get hash | malicious | GCleaner | Browse |
| ||
Get hash | malicious | GCleaner | Browse |
| ||
Get hash | malicious | GCleaner, Vidar | Browse |
| ||
Get hash | malicious | GCleaner, Nymaim | Browse |
| ||
Get hash | malicious | Amadey | Browse |
| ||
Get hash | malicious | Tofsee | Browse |
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_687823f3e027695faa9d88d81b6c04ef2f38cb4_d32b1248_a9fcd368-4032-4731-992d-7df4f590d10d\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.9885757457924258 |
Encrypted: | false |
SSDEEP: | 192:vHlwDEvGPldtd0swwR6I3js7YWdzuiFyZ24IO8TVB:lGN3eswwRJjAzuiFyY4IO8X |
MD5: | 37D08B0C72CA94723B40CECD4D40637D |
SHA1: | 4964A7A067A17C5F2528C939E1CB8DD039382F1C |
SHA-256: | AA7FC45F0665CE721CE8150741B1D040FD1F12A18919F548D06A5AAD493C8BDA |
SHA-512: | 743A54FD82A4BF701530B295711B506DD4CEB8F773B8C4B2C3FD8B8005627D57A6E236D743E4306DC2A3ED34C4D81382A871625146031B22518F2768940E08F1 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 41894 |
Entropy (8bit): | 2.5268013584165483 |
Encrypted: | false |
SSDEEP: | 192:IcsXBPhyGYXdSXvTctOKo7IdnwI2PBaBlo8+tRRo5ja6SEAkuIXeTfYI2+x:hYyGwAT7H8wIUJKjisJOrR |
MD5: | 982F671468F3E962301E35C5805EC501 |
SHA1: | 7D5CB3F48CF7C76A7B4EBF68AB15F3A614C064C4 |
SHA-256: | E620B988674768C7A1DFC7A6B3F98782693403EEBB1AE83AC498D77B8712E483 |
SHA-512: | 7022DEBE81BC34F726D2EC6129A6970A315B68AB77B433174D12FF2960E98EE3A50A8E5A7AD986D950F9BC383444CBDB37521A96C6FBF53462CAF32A99BE3BE5 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8284 |
Entropy (8bit): | 3.6963890958389034 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJ3Cz6I636Y9BSU90PGgmfBr//ljGrpDt89bGfsf0muAim:R6lXJ+6I636YrSU9CGgmfV/ljdGEfK0 |
MD5: | A245771AAFDBFBD5625887FFDE03AF8B |
SHA1: | 7D0141EE9E420503687095DD488AA4E801303A53 |
SHA-256: | 4946E988E166140025C2523093D2DEB283D4F90EE3709307764A66FF661AC175 |
SHA-512: | 6D07BA6A3275A24211E914AF561E97A0C03F679ABC9E6DEDFACAB1D6BA15827F37D854117048877625E592E7083F2F03B60C86B61A3F5ED53E4AE14E619972DF |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4537 |
Entropy (8bit): | 4.429048113573814 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsaJg77aI9u5WpW8VYsKYm8M4Jg2F0Wj+q8AG3tz2Ud:uIjfoI7kI7VJJyicdz2Ud |
MD5: | 93724C0E0657CCF20D51356A8A527C9A |
SHA1: | 49D138DE7A0E34ADF9FDAB4F5001BE093AB4304C |
SHA-256: | 8427371BFCEDFCC1289B6FF9161281448803C6E8AA95994B24EDF0395021CBED |
SHA-512: | 8E823E32415C827A1E4843D42DF939AD24A2CA2916DBC0B597F61919DF488755BA480071BCD9E38C1C4040DF7027FFF0CA4D9FB6302D4AC99BBCDE542021FACE |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\file.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:V:V |
MD5: | CFCD208495D565EF66E7DFF9F98764DA |
SHA1: | B6589FC6AB0DC82CF12099D1C2D40AB994E8410C |
SHA-256: | 5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9 |
SHA-512: | 31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.465289633423072 |
Encrypted: | false |
SSDEEP: | 6144:aIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSb5:vXD94+WlLZMM6YFH1+5 |
MD5: | F472E3BC66C7E71DF5FF8BA2396A7E7C |
SHA1: | 0D42BDDDC0D3B2A61B9D3B93C0D247F73D3DF8D0 |
SHA-256: | 8654E436966EC5E840CD97F1718309B3DC7ABF71A37480ADB92F30EB8CEBECAD |
SHA-512: | 5C05E497538C982DEB7815A0D1B6F1D4D18CFB3D9C166859EA5FB4D89C1C954AC4D052F0DAB341836486BA8DA7BADAD40D2DA4C0D0F51A0783EBD25E8FC114EC |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.2216502136066145 |
TrID: |
|
File name: | file.exe |
File size: | 288'256 bytes |
MD5: | e0e8e64dfad5b7dcae0d8c569c3995a2 |
SHA1: | 307aa823e40f082fb0ff99fb6996d4f34c5abb45 |
SHA256: | 9f860b523257827deceedaf7f95fba8e45e241602003ead07ad41727dbcd2f4c |
SHA512: | 49e409041af711ac6ce33ff5870bd8d732d91aa1440cb73558ab846ad6750358ae458246a016e920c993c897e06dbe79601a2c4cf0f0866a678acc9f80056c9f |
SSDEEP: | 3072:xwySb8zVbbEEyNej1dI0D9R40DWbwtORdekyE22JsH/ES:xwySb8zCEyNAJD9/D7O651Ysf |
TLSH: | 9D54AD0176FE90E6EEA747305970C6A45E3B7D836BB6428F32703E1FAD732916560B12 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u...............b~......bK......b.......lF..............bz......bO......bH.....Rich....................PE..L...u.}d........... |
Icon Hash: | 1518111211911209 |
Entrypoint: | 0x4016fc |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x647D9275 [Mon Jun 5 07:44:53 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 1d9d33e4f206a54f8ff0f700699cf53a |
Instruction |
---|
call 00007FE824E3D322h |
jmp 00007FE824E3A42Eh |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 00000328h |
mov dword ptr [00435738h], eax |
mov dword ptr [00435734h], ecx |
mov dword ptr [00435730h], edx |
mov dword ptr [0043572Ch], ebx |
mov dword ptr [00435728h], esi |
mov dword ptr [00435724h], edi |
mov word ptr [00435750h], ss |
mov word ptr [00435744h], cs |
mov word ptr [00435720h], ds |
mov word ptr [0043571Ch], es |
mov word ptr [00435718h], fs |
mov word ptr [00435714h], gs |
pushfd |
pop dword ptr [00435748h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [0043573Ch], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [00435740h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [0043574Ch], eax |
mov eax, dword ptr [ebp-00000320h] |
mov dword ptr [00435688h], 00010001h |
mov eax, dword ptr [00435740h] |
mov dword ptr [0043563Ch], eax |
mov dword ptr [00435630h], C0000409h |
mov dword ptr [00435634h], 00000001h |
mov eax, dword ptr [00434004h] |
mov dword ptr [ebp-00000328h], eax |
mov eax, dword ptr [00434008h] |
mov dword ptr [ebp-00000324h], eax |
call dword ptr [000000C4h] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x32bdc | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x39000 | 0x12488 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x329f8 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x329b0 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x31000 | 0x150 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2f9e3 | 0x2fa00 | 7f5bffb43b5b03a0390c727d92058dc3 | False | 0.671147063648294 | data | 6.546805702623862 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x31000 | 0x238e | 0x2400 | b3b2bd83deb09c9769dc149080356d3b | False | 0.3458116319444444 | data | 4.987489926123125 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x34000 | 0x3da0 | 0x1800 | 4f0447a8ed686f029ff2e96f2d988cad | False | 0.23909505208333334 | data | 2.62529656263443 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.tls | 0x38000 | 0x51d | 0x600 | d00a0884dfc2593613905d91d2ea3f37 | False | 0.015625 | data | 0.007830200398677895 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x39000 | 0x12488 | 0x12600 | 8bdbd59954f1c144ce4accf6b6cfa5d1 | False | 0.45669908588435376 | data | 5.1758578130359005 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_CURSOR | 0x46768 | 0x130 | Device independent bitmap graphic, 32 x 64 x 1, image size 0 | 0.7368421052631579 | ||
RT_CURSOR | 0x46898 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | 0.06130705394190871 | ||
RT_ICON | 0x396d0 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | Turkish | Turkey | 0.591684434968017 |
RT_ICON | 0x3a578 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | Turkish | Turkey | 0.6642599277978339 |
RT_ICON | 0x3ae20 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors | Turkish | Turkey | 0.7275345622119815 |
RT_ICON | 0x3b4e8 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | Turkish | Turkey | 0.763728323699422 |
RT_ICON | 0x3ba50 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | Turkish | Turkey | 0.5485477178423237 |
RT_ICON | 0x3dff8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | Turkish | Turkey | 0.6688555347091932 |
RT_ICON | 0x3f0a0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | Turkish | Turkey | 0.6872950819672131 |
RT_ICON | 0x3fa28 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | Turkish | Turkey | 0.8111702127659575 |
RT_ICON | 0x3ff08 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | Turkish | Turkey | 0.339818763326226 |
RT_ICON | 0x40db0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | Turkish | Turkey | 0.4675090252707581 |
RT_ICON | 0x41658 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | Turkish | Turkey | 0.5023041474654378 |
RT_ICON | 0x41d20 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | Turkish | Turkey | 0.5260115606936416 |
RT_ICON | 0x42288 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | Turkish | Turkey | 0.4259336099585062 |
RT_ICON | 0x44830 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | Turkish | Turkey | 0.43363039399624764 |
RT_ICON | 0x458d8 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | Turkish | Turkey | 0.43565573770491806 |
RT_ICON | 0x46260 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | Turkish | Turkey | 0.449468085106383 |
RT_DIALOG | 0x49018 | 0x84 | data | 0.7651515151515151 | ||
RT_STRING | 0x490a0 | 0x334 | Matlab v4 mat-file (little endian) u, numeric, rows 0, columns 0 | 0.4853658536585366 | ||
RT_STRING | 0x493d8 | 0x6b2 | data | 0.43115519253208867 | ||
RT_STRING | 0x49a90 | 0x136 | data | 0.5129032258064516 | ||
RT_STRING | 0x49bc8 | 0x66a | data | 0.43605359317904996 | ||
RT_STRING | 0x4a238 | 0x66e | data | 0.4380315917375456 | ||
RT_STRING | 0x4a8a8 | 0x548 | data | 0.44822485207100593 | ||
RT_STRING | 0x4adf0 | 0x618 | data | 0.433974358974359 | ||
RT_STRING | 0x4b408 | 0x7a | data | 0.6475409836065574 | ||
RT_ACCELERATOR | 0x46740 | 0x28 | data | 1.025 | ||
RT_GROUP_CURSOR | 0x48e40 | 0x22 | data | 1.088235294117647 | ||
RT_GROUP_ICON | 0x466c8 | 0x76 | data | Turkish | Turkey | 0.6694915254237288 |
RT_GROUP_ICON | 0x3fe90 | 0x76 | data | Turkish | Turkey | 0.6610169491525424 |
RT_VERSION | 0x48e68 | 0x1ac | data | 0.6004672897196262 |
DLL | Import |
---|---|
KERNEL32.dll | DebugActiveProcess, GetNumaNodeProcessorMask, GetConsoleAliasesLengthW, GetDefaultCommConfigW, GetConsoleAliasExesLengthA, WriteConsoleOutputW, InterlockedIncrement, GetEnvironmentStringsW, GetComputerNameW, CallNamedPipeW, GetModuleHandleW, GetUserDefaultLangID, GetCommandLineA, GetSystemTimes, GlobalAlloc, LoadLibraryW, HeapDestroy, LeaveCriticalSection, GlobalFlags, SetConsoleMode, CreateDirectoryA, InterlockedExchange, GetStartupInfoA, GetLastError, GetProcAddress, SetStdHandle, SearchPathA, GetNumaHighestNodeNumber, LoadLibraryA, QueryDosDeviceW, FindNextChangeNotification, FoldStringA, GetModuleFileNameA, FreeEnvironmentStringsW, VirtualProtect, EnumDateFormatsW, LocalSize, FindAtomW, HeapFree, HeapAlloc, EncodePointer, DecodePointer, MultiByteToWideChar, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, Sleep, HeapSize, GetCPInfo, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WideCharToMultiByte, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, EnterCriticalSection, HeapReAlloc, RtlUnwind, LCMapStringW, GetStringTypeW, IsProcessorFeaturePresent |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Turkish | Turkey |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 28, 2024 12:04:57.861475945 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:04:57.866358042 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:04:57.866465092 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:04:57.866602898 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:04:57.871360064 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:04:58.559222937 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:04:58.559341908 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:04:58.578448057 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:04:58.583333015 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:04:58.819294930 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:04:58.819417000 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:00.838357925 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:01.081393003 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:01.296654940 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:01.296717882 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:03.307447910 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:03.312418938 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:03.535039902 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:03.535092115 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:05.619745016 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:05.626123905 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:05.849441051 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:05.849520922 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:07.869872093 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:07.876579046 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:08.117543936 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:08.117644072 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:10.135840893 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:10.140665054 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:10.377706051 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:10.377784014 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:12.493171930 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:12.497973919 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:12.719479084 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:12.719585896 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:14.745620012 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:15.056560040 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:15.544934034 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:15.544943094 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:15.767347097 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:15.767431974 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:17.816349030 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:17.821341991 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:18.043237925 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:18.043323994 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:20.073167086 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:20.079392910 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:20.297216892 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:20.297288895 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:22.323281050 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:22.328246117 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:22.570949078 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:22.571201086 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:27.577004910 CEST | 80 | 49730 | 80.66.75.114 | 192.168.2.4 |
Aug 28, 2024 12:05:27.578176022 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
Aug 28, 2024 12:05:37.182760000 CEST | 49730 | 80 | 192.168.2.4 | 80.66.75.114 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.4 | 49730 | 80.66.75.114 | 80 | 5356 | C:\Users\user\Desktop\file.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Aug 28, 2024 12:04:57.866602898 CEST | 400 | OUT | |
Aug 28, 2024 12:04:58.559222937 CEST | 204 | IN | |
Aug 28, 2024 12:04:58.578448057 CEST | 394 | OUT | |
Aug 28, 2024 12:04:58.819294930 CEST | 203 | IN | |
Aug 28, 2024 12:05:00.838357925 CEST | 394 | OUT | |
Aug 28, 2024 12:05:01.296654940 CEST | 203 | IN | |
Aug 28, 2024 12:05:03.307447910 CEST | 394 | OUT | |
Aug 28, 2024 12:05:03.535039902 CEST | 203 | IN | |
Aug 28, 2024 12:05:05.619745016 CEST | 394 | OUT | |
Aug 28, 2024 12:05:05.849441051 CEST | 203 | IN | |
Aug 28, 2024 12:05:07.869872093 CEST | 394 | OUT | |
Aug 28, 2024 12:05:08.117543936 CEST | 203 | IN | |
Aug 28, 2024 12:05:10.135840893 CEST | 394 | OUT | |
Aug 28, 2024 12:05:10.377706051 CEST | 203 | IN | |
Aug 28, 2024 12:05:12.493171930 CEST | 394 | OUT | |
Aug 28, 2024 12:05:12.719479084 CEST | 203 | IN | |
Aug 28, 2024 12:05:14.745620012 CEST | 394 | OUT | |
Aug 28, 2024 12:05:15.056560040 CEST | 394 | OUT | |
Aug 28, 2024 12:05:15.767347097 CEST | 203 | IN | |
Aug 28, 2024 12:05:17.816349030 CEST | 394 | OUT | |
Aug 28, 2024 12:05:18.043237925 CEST | 203 | IN | |
Aug 28, 2024 12:05:20.073167086 CEST | 394 | OUT | |
Aug 28, 2024 12:05:20.297216892 CEST | 203 | IN | |
Aug 28, 2024 12:05:22.323281050 CEST | 394 | OUT | |
Aug 28, 2024 12:05:22.570949078 CEST | 203 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 06:04:52 |
Start date: | 28/08/2024 |
Path: | C:\Users\user\Desktop\file.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 288'256 bytes |
MD5 hash: | E0E8E64DFAD5B7DCAE0D8C569C3995A2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 06:05:24 |
Start date: | 28/08/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 06:05:24 |
Start date: | 28/08/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 06:05:24 |
Start date: | 28/08/2024 |
Path: | C:\Windows\SysWOW64\taskkill.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x780000 |
File size: | 74'240 bytes |
MD5 hash: | CA313FD7E6C2A778FFD21CFB5C1C56CD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 9 |
Start time: | 06:05:24 |
Start date: | 28/08/2024 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6f0000 |
File size: | 483'680 bytes |
MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 4.1% |
Dynamic/Decrypted Code Coverage: | 4.3% |
Signature Coverage: | 14.9% |
Total number of Nodes: | 657 |
Total number of Limit Nodes: | 12 |
Graph
Function 004306A8 Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 243librarymemorypipeCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004018E0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 298networkfileCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007C51AE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00403640 Relevance: 32.4, APIs: 14, Strings: 4, Instructions: 947fileprocessCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004017A0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 103networkCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004032C0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004033C0 Relevance: 4.6, APIs: 3, Instructions: 51COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401DC0 Relevance: 3.2, APIs: 2, Instructions: 174COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00404130 Relevance: 2.7, APIs: 2, Instructions: 171sleepCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004304E3 Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0041225F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004304BE Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004304C5 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 007C4E6D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00418E5E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00418C89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00608EF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004084E5 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F874C Relevance: 6.1, APIs: 4, Instructions: 73COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00418910 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00608B77 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C891 Relevance: 3.0, APIs: 2, Instructions: 34timeCOMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004086E3 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00418B63 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00608DCA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00418D8F Relevance: 1.5, APIs: 1, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00608FF6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00411112 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00601379 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00408679 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F88E0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004168EC Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00413AB9 Relevance: .6, Instructions: 637COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00422900 Relevance: .2, Instructions: 179COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004096D0 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F9937 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 007C4A8B Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F0D90 Relevance: .0, Instructions: 43COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00411002 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00601269 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040CEE0 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005FD147 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407D94 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00416E8E Relevance: 18.4, APIs: 12, Instructions: 373COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040AD92 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005FAFF9 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00410A98 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00600CFF Relevance: 15.1, APIs: 10, Instructions: 69COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004172AD Relevance: 13.7, APIs: 9, Instructions: 199COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00607514 Relevance: 13.7, APIs: 9, Instructions: 199COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407909 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004112DB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F7B70 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00405BE0 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F5E47 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040BBF7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040C533 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0041202C Relevance: 7.7, APIs: 5, Instructions: 199COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F2FC7 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F1B47 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 298networkfileCOMMON
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004153F1 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00605658 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005F3527 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00430647 Relevance: 6.0, APIs: 4, Instructions: 32memoryCOMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00407F04 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040E6B7 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005FE91E Relevance: 6.0, APIs: 4, Instructions: 19COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040B13C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 005FB3A3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|